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PATIENT CONFIDENTIALITY 


TUESDAY, MARCH 24, 1998 

House of Representatives, 

Committee on Ways and Means, 

Subcommittee on Health, 

Washington, DC. 

The Subcommittee met, pursuant to call, at 10 a.m., in room 
1100, Longworth House Office Building, Hon. Bill Thomas (Chair- 
man of the Subcommittee) presiding. 

[The advisory announcing the hearing follows:] 


( 1 ) 
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ADVISORY 

FROM THE COMMITTEE ON WAYSAND MEANS 
SUBCOMMITTEE ON HEALTH 

FOR IMMEDIATE RELEASE CONTACT: (202) 225-3943 

March 17, 1998 
No. HL-20 


Thomas Announces Hearing on 
Patient Confidentiality 

Congressman Bill Thomas (R-CA), Chairman, Subcommittee on Flealth of the 
Committee on Ways and Means, today announced that the Subcommittee will hold 
a hearing on patient confidentiality. The hearing will take place on Tuesday, March 
24, 1998, in the main Committee hearing room, 1100 Longworth FI ouse Office Build- 
ing, beginning at 10:00 a.m. 

In view of the limited time available to hear witnesses, oral testimony at this 
hearing will be from invited witnesses only. Flowever, any individual or organization 
not scheduled for an oral appearance may submit a written statement for consider- 
ation by the Committee and for inclusion in the printed record of the hearing. 


BACKGROUND: 


The Flealth Insurance Portability and Accountability Act of 1996 (FIIPAA) re- 
quired the Secretary of Flealth and Fluman Services to submit to the Congress "de- 
tailed recommendations with respect to the privacy of individually identifiable 
health information." In developing her recommendations, the Secretary was re- 
quired to consult with the National Committee on Vital and Flealth Statistics and 
the Attorney General. The Secretary released her report on September 11, 1997, and 
Congress has until August 1999 to pass legislation to protect individual patient con- 
fidentiality. If the Congress does not enact legislation, FIIPAA directs the Secretary 
to issue her own final enforceable regulations by February 2000. 

Flealth care information is used for a variety of purposes including research, dis- 
ease prevention, quality assurance, and outcomes measurements. In recent years, 
health care information has moved away from paper records to electronic records. 
This innovation provides tremendous opportunities for medical advances as well as 
new challenges for maintaining patient confidentiality. The Administration's recent 
announcement of a delay in the implementation of the FIIPAA administrative sim- 
plification provisions underscores the complexity of maintaining confidentiality in an 
information age. 

In announcing the hearing. Chairman Thomas stated: "Our nation has a great 
history of leadership in medical advances and health care innovation. I have seen, 
first hand, examples of health care data being used to help in the discovery of new 
medical techniques and technologies. In addition, outcomes studies and consumer 
information based on up-to-date health care data can make our nation's health care 
system better, services more readily available, and care more affordable. Flowever, 
it is essential that patient confidentiality concerns are addressed while maintaining 
access to data to promote better health." 


FOCUS OF THE HEARING: 

The hearing will focus on patient confidentiality from the perspective of the health 
care consumers, physicians, providers, and researchers. 
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DETAILS FOR SUBMISSION OF WRITTEN COMMENTS: 


Any person or organization wishing to submit a written statement for the printed 
record of the hearing shouid submit at ieast six (6) singie-space iegai-size copies of 
their statement, aiong with an IBM compatibie 3.5-inch diskette in ASCI I DOS Text 
or WordPerfect 5.1 format only, with their name, address, and hearing date noted 
on a label, by the close of business, Tuesday, April 7, 1998 , to A.L. Singleton, Chief 
of Staff, Committee on Ways and Means, U.S. House of Representatives, 1102 Long- 
worth House Office Building, Washington, D.C. 20515. If those filing written state- 
ments wish to have their statements distributed to the press and interested public 
at the hearing, they may deliver 200 additional copies for this purpose to the Sub- 
committee on Health office, room 1136 Longworth House Office Building, at least 
one hour before the hearing begins. 


FORMATTING REQUIREMENTS: 

Each statement presented for printing to the Committee by a witness, any written 
statement or exhibit submitted for the printed record or any written comments in 
response to a request for written comments must conform to the guidelines listed 
below. Any statement or exhibit not in compliance with these guidelines will not be 
printed, but will be maintained in the Committee files for review and use by the 
Committee. 

1. All statements and any accompanying exhibits for printing must be typed In single space 
on legal-size paper and may not exceed a total of 10 pages Including attachments. At the same 
time written statements are submitted to the Committee, witnesses are now requested to submit 
their statements on an IBM compatible 3.5-Inch diskette In ASCII DOS Text or WordPerfect 
5.1 format. Witnesses are advised that the Committee will rely on electronic submissions for 
printing the official hearing record. 

2. Copies of whole documents submitted as exhibit material will not be accepted for printing. 
Instead, exhibit material should be referenced and quoted or paraphrased. All exhibit material 
not meeting these specifications will be maintained in the Committee files for review and use 
by the Committee. 

3. A witness appearing at a public hearing, or submitting a statement for the record of a pub- 
lic hearing, or submitting written comments in response to a published request for comments 
by the Committee, must include on his statement or submission a list of all clients, persons, 
or organizations on whose behalf the witness appears. 

4. A supplemental sheet must accompany each statement listing the name, full address, a 
telephone number where the witness or the designated representative may be reached and a 
topical outline or summary of the comments and recommendations in the full statement. This 
supplemental sheet will not be included in the printed record. 

The above restrictions and limitations apply only to material being submitted for printing. 
Statements and exhibits or supplementary material submitted solely for distribution to the 
Members, the press and the public during the course of a public hearing may be submitted in 
other forms. 


Note: All Committee advisories and news releases are available on the World 
Wide Web at 'http://WWW.HOUSE.GOV/WAYS_MEANS/'. 


The Committee seeks to make Its facilities accessible to persons with disabilities. 
If you are In need of special accommodations, please call 202-225-1721 or 202-226- 
3411 TTD/TTY In advance of the event (four business days notice Is requested). 
Ouestlons with regard to special accommodation needs In general (Including avail- 
ability of Committee materials In alternative formats) may be directed to the Com- 
mittee as noted above. 


Chairman Thomas. The Subcommittee wiii come to order. 

Each day, mi ii ions of Americans receive medicai treatment, in- 
creasingiy, patients receive their care from a muitifaceted system 
of heaith care entities and professionais. As our heaith care system 
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has evolved from a solo practitioner to complex integrated health 
systems and everything in between, so has the challenge of ensur- 
ing that patients' private information is not improperly disclosed 
and used for inappropriate purposes. 

National attention regarding the confidentiality of patient infor- 
mation was heightened with the passage of the Health Insurance 
Portability and Accountability Act of 1996. This act r^uired the 
Secretary of Health and Human Services to consult with the Na- 
tional Committee on Vital and Health Statistics and the Attorney 
General and to report to the Congress her "detailed recommenda- 
tions with respect to the privacy of individually identifiable health 
information." The Secretary released a report on September 11, 
1997. Congress now has until August 1999 to pass legislation to 
protect that individual patient confidentiality. Without legislation, 
the law says the Secretary will write her own regulations. 

Today this Subcommittee begins its exploration of this important 
topic. We will hear from experts representing various parts of the 
health care system who will share with us their views r^arding 
the confidentiality of patient information. In reading their testi- 
mony, it was clear to me we are dealing with a very important but 
very delicate issue. If the Congress errs on the side of overprotec- 
tion, we could stifle medical innovation and research which would 
adversely impact public health. Likewise, if we fail to provide the 
American public with ad^uate reassurance that their individually 
identifiable information is protected, some may avoid, delay, or 
carry out protective behavioral patterns dealing with necessary 
treatments. 

Time is critical, not just because the Secretary will issue her own 
regulations in August 1999 if Congress does not act, but as we will 
hear on one of our panels today, if Congress does not act. States 
are already acting. And we run the chance, if we do not provide at 
least guidance if not some uniformity, of a crazy quilt pattern con- 
fronting us in which no one's wishes are granted, and that is a very 
real possibility. 

[The opening statement follows:] 

Opening Statement of Chairman Bill Thomas 

Each day, millions of Americans receive medical treatment. Increasingly, patients 
receive their care from a multi-faceted system of health care entities and profes- 
sionals. As our health care system has evolved— from the solo practitioner to com- 
plex integrated health systems— so has the challenge of ensuring that patients' pri- 
vate information is not improperly disclosed and used for inappropriate purposes. 

National attention regarding the confidentiality of patient information was height- 
ened with the passage of the Health Insurance Portability and Accountability Act 
of 1996. This Act required the Secretary of Health and Human Services to consult 
with the National Committee on Vital and Health Statistics and the Attorney Gen- 
eral and to report to the Congress her "detailed recommendations with respect to 
the privacy of individually identifiable health information." The Secretary released 
her report on September 11, 1997. The Congress now has until August 1999 to pass 
legislation to protect individual patient confidentiality. Without legislation, the Sec- 
retary will write her own regulations. 

Today, this Subcommittee begins its exploration of this important topic. We will 
hear from several experts, representing various parts of the health care system, who 
will share with us their views regarding the confidentiality of patient information. 
In reading their testimony, it was clear to me that we are dealing with a very deli- 
cate issue. If the Congress errs on the side of over-protection, we could stifle medical 
innovation and research which would adversely impact public health. Likewise, if 
we fail to provide the American public with adequate reassurance that their Individ- 
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ually identifiable information is protected, some may avoid or delay necessary treat- 
ments. 

I look forward to hearing from our first witness, Dr. Don Detmer, Chair of the 
National Committee on Vital and Health Statistics. 


Chairman Thomas. I lcx)k forward to hearing from aii of our wit- 
nesses, but our first witness, Dr. Don Detmer, is the chair of the 
Nationai Committee on Vitai and Heaith Statistics. And Dr. 
Detmer, before i recognize you, i wouid ask my coiieague from Wis- 
consin if he has any opening statement. Or if he has a written 
statement from the Ranking Member, i wouid make that a part of 
the record. But i wouid recognize the gentieman from Wisconsin. 

Mr. Kleczka. Mr. Chairman, i do not know if Mr. Stark has an 
opening statement, but if he does, i wouid ask that that be in- 
cluded. i wouid aiso iike to introduce into the record a statement 
from myseif on this timeiy issue. 

i want to acknowiedge the Chairman's interest in the subject 
matter, aithough when hetaiks about overprotection, i don't think 
we are anywhere near that probiem when it comes to a patient's 
records, in fact, just a short time ago in the iocai papers, i think 
two or three iocai drugstores were invoived in seiiing their patient 
iists to drug companies, in response to that, consumers received 
maiiings from drug companies. 

i think privacy concerns are something we shouid be taking more 
seriousiy in this Congress, not oniy as it deais with the internet 
and Sociai Security numbers, but now we have seen in the most 
recent past a series of drugstores seiiing their patient iists. i think 
Congress shouid not sit idiy by whiie aii this continues to happen, 
i think we shouid be proactive and err on the side of the consumer. 

Thank you, Mr. Chairman. 

[The opening statement foiiows:] 

Opening Statement of Congressman J erry Kleczka 

I am pleased Chairwoman Thomas has called this hearing on medical privacy 
today. This public debate will draw attention to one of the most important issues 
facing the subcommittee and American public: guaranteeing the privacy of all Amer- 
icans' personal and medical information. This guarantee is particularly important 
given the rapid technological advances and awe-inspiring medical discoveries being 
made every day. 

I was appalled, as I am sure many of my colleagues were, to read in recent Wash- 
ington Post articles about drugstores selling confidential patientprescription infor- 
mation to outside companies for marketing purposes. While the companies in ques- 
tion quickly changed their practices when consumers expressed outrage at these 
revelations, the practice of selling prescription information to third parties continues 
to go on throughout the nation. 

Imagine simply going to the local drug store to fill a prescription, and, without 
your permission, the pharmacist behind the counter transmits your medical and 
prescription information to a direct marketing firm. Certainly, innocent consumers 
filling prescriptions should have at the very least an expectation of privacy. Sending 
confidential prescription information to a marketing company that has absolutely no 
medical expertise or purpose for receiving that information other than to profit from 
it raises serious ethical questions. I believe legitimate checks can and should be 
placed on this type of practice. 

Too many Americans operate under the assumption that their private medical 
records are just that, private. However, in today's computer age where personal in- 
formation can be transmitted across the country quite literally at a push of a but- 
ton, threats to the privacy of individuals' medical records have never been greater. 
While this technoiogical innovation has provided opportunities for and lead to im- 
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portant medical advances, it has come with price— the price of sacrificing one's per- 
sonal privacy and security. 

There are, of course, appropriate uses for electronically transmitting medical in- 
formation. For example, managed care networks, insurers, medical researchers, or 
benefits managers arguably have legitimate needs for quick and easy access to med- 
ical records. Flowever, the idea that potentially thousands of individuals could gain 
access to this electronic data— something so sacred and private as a diagnosis of 
mental illness or terminal illness, for example— gives me pause. I find it even more 
troubling that this private information can and is electronically transmitted for ab- 
solutely no legitimate medical purpose. Transmitting this information to a third- 
party solely to improve the profit margins of a pharmaceutical company is simply 
unconscionable. 

The Flealth I nsurance Portability and Accountability Act of 1996 required the Sec- 
retary of Flealth and Fluman Services to submit detailed recommendations with re- 
spect to the privacy of individual's health information. The Secretary released her 
report this past September and we in Congress have until August 1999 to pass 1^- 
islation protecting patient confidentiality. My hope is that as we prepare this legis- 
lation Congress will not only reflect back on the testimony heard today, but also on 
the missteps and breaches of confidentiality that have occurred in the past and 
place strong protections for the future. 


Chairman Thomas. I thank the gentleman. Our goal is not to err 
on either side but to pass inform^ legislation. Our goal is not to 
legislate by anecdote but be informed legislators. That is the pur- 
pose of this hearing. 

And with that, I recognize Dr. Detmer and tell him that the writ- 
ten statement he has will be made a part of the written record, 
without objection, and you can address us in any way you see fit 
in the time you have available. 

Dr. Detmer. Thank you very much, Mr. Chairman. Good morn- 
ing. 

Chairman Thomas. I will tell you in advance these microphones 
are unidirectional and you have to speak directly into them and 
relatively close. 

STATEMENT OF DON E. DETMER, M.D., CHAIRMAN, U.S. 

NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS 

Dr. Detmer. I appreciate the opportunity to appear before the 
Subcommittee on this extraordinarily important l^islative issue. 
Privacy, confidentiality, and security of individual health informa- 
tion touches the lives of all Americans in a very personal way, and 
your actions will influence the future course of health care and the 
future of medicine itself. 

I am a university professor and senior vice president at the Uni- 
versity of Virginia and a practicing surgeon. I am here today in my 
role as chair of the National Committee on Vital and Health Statis- 
tics. As you are aware, the committee is a nearly 50-year-old statu- 
tory public advisory body to the Secretary of Health and Human 
Services on health data privacy and health information policy. Its 
18 members include four practicing physicians. 

Through the mandates of the 1996 Health Insurance Portability 
and Accountability Act, the committee's responsibilities were broad- 
ened to encompass health statistics, privacy, and computer-based 
clinical records for both the public and private sector. Last J une 
the committee provided its initial recommendations to the Sec- 
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retary and she, in turn, submitted her detailed recommendations 
to Congress last September. 

All in all, the committee held over 20 days, full days, of public 
hearings and heard from more than 200 witnesses who discussed 
data standards, privacy, and security issues. The hearings included 
representatives from across the entire spectrum of the health com- 
munity. This extensive public consultation was immensely helpful 
to us as we formulated our recommendations to Secretary Shalala, 
and we continue to hold hearings to further refine our advice. 

Our hearings showed strong and widespread support for Federal 
health privacy legislation. At the same time, it is clear our society 
has not yet reached a consensus about the definition and bound- 
aries of privacy in an information age. The committee has con- 
cluded that our Nation faces a priva(^ crisis today, and legislation 
is urgently needed to address two policy deficiencies. 

First, we lack solid Federal legislation on fair information prac- 
tices for personal health information. Second, we lack sufficient 
antidiscrimination statutes to keep personal health information 
from being used against citizens in areas such as employment and 
insurability. With the fast pace of progress in medicine and tech- 
nology, this further complicates an already complex situation. 

With the exception of one abstention, all the recommendations 
from the Committee were unanimous. What does the committee 
wish to see in this legislation? 

We want a law that requires creators and users of identifiable 
health information to ensure a full range of fair information prac- 
tices, including the patient's right of access to his or her records, 
the right to seek amendment of records, and the right to be in- 
formed about users and uses of health information. 

We seek reasonable restrictions and conditions on access to and 
use of personally identifiable health information that maintains 
protections for the information as it passes into the hands of sec- 
ondary and tertiary users, so that there are no loopholes that allow 
information to escape appropriate controls. 

We seek adequate security for health data, no matter what 
media are used to create, transmit, or store data. That is, we wish 
the protections to apply to the data itself and not to whatever me- 
dium or technology is used. 

We want those who create and use personally specific health in- 
formation to accept accountability for actions that affect privacy in- 
terests of patients. We support sanctions when restrictions are vio- 
lated. 

We wish to promote the use of nonidentifiable, coded, or 
encrypted information when a function can be fully and substan- 
tially accomplished without more specific identifiers. 

The committee strongly supports the use of health records for all 
forms of legitimate health research without a case-by-case patient 
consent for access to such data, subject to independent review of re- 
search protocols and other procedural protections for patients. 

The committee also strongly supports the use of health records 
for public health purposes, subject to substantive and procedural 
barriers commensurate with the importance of public health func- 
tion. 
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The committee believes patients need strong substantive and 
procedural protections if their records are to be disclosed to law en- 
forcement officials. 

The committee strongly supports limiting use and disclosure of 
identifiable information to the minimum amount necessary to ac- 
complish the purpose. The committee also strongly believes when 
identifiable health information is made available for nonhealth 
uses, patients deserve a strong assurance that the data will not be 
used to harm them. 

We urge the Congress to pass such legislation during this ses- 
sion, since we do not believe the H I PAA privacy regulatory author- 
ity is an adequate alternative to legislation. 

Clearly, with the continued development of computer-based pa- 
tient health records, it would be best to integrate the appropriate 
security and policy procedures into the emerging architecture of 
such systems, and this will require action now rather than later 
since these systems are being built as I speak to you. Action now 
should allow us to avoid a variant of the "year 2000" problem in 
this age of computers. 

The committee recognizes drafting and passage of the health pri- 
vacy law will not be easy. Health privacy legislation presents hard 
choices and difficult tradeoffs. Health records are primarily used 
for the treatment of patients, to improve the quality of care, reduce 
the cost of health care, expand the availability of health care, pro- 
tect the public health, and assure public accountability of the 
health care system. Privacy competes with all of these objectives, 
and it will not be easy to strike a widely accepted balance between 
privacy and these other worthy goals. The new legislation must re- 
flect the current structure and legislative framework for health 
care and allow for continued progress in health care. 

I n summary, two sets of legislation are needed. The first involves 
the relationship between privacy as defined by principles of fair in- 
formation practices; and the second relates to concerns about dis- 
crimination based on health status or conditions. The antidiscrimi- 
nation provisions of HI PAA need to be expanded to cover all as- 
pects. 

Whether or not general privacy concerns and discrimination con- 
cerns should be addressed together in the same piece of legislation, 
you can best decide. An already complex health privacy account- 
ability bill may not be the best place to sort out responses to the 
important discrimination problems. 

The National Committee on Vital and Health Statistics calls on 
everyone to work together in good faith. Everyone should benefit 
from a well-crafted set of fair information practices for health infor- 
mation. Patients will have new rights and greater protections for 
sensitive information. Critically important, trust in the provider- 
patient relationship will be preserved. Providers and insurers will 
have clearer rules and responsibilities. Secondary users will know 
when they can and cannot have information and what their obliga- 
tions and penalties are if these obligations are ignored. 

The committee is pleased to provide a public forum for continued 
advice on these issues, and we look forward to working with you 
and others to achieve a comprehensive and balanced public privacy 
health information law. 
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Thank you, Mr. Chairman. I would be happy to answer ques- 
tions. 

[The prepared statement follows:] 

statement of Don E. Detmer, M.D., Chairman, U.S. National Committee on 
Vital and Health Statistics 

Introduction 

Thank you, Mr. Chairman. It is a pieasure to appear before the Committee today 
to discuss heaith information privacy, confidentiaiity, and security issues. I am cur- 
rentiy University Professor and Senior Vice President at the University of Virginia 
and a practicing surgeon. I appear before you today in my role as chair of the Na- 
tionai Committee on Vitai and Heaith Statistics (NCVHS). The NCVHS is the statu- 
tory pubiic advisory body to the Secretary of Heaith and Human Services on heaith 
data, privacy and nationai heaith information poiicy. 

The NCVHS has a distinguished, neariy fifty year history of providing the govern- 
ment with broad based advice on heaith data issues, inciuding data needed to as- 
sure the quaiity of care, meet pubiic heaith needs as weli as data needs for other 
purposes. In 1996, the Health I nsurance Portability and Accountability Act (HIPAA) 
assigned the committee new responsibilities for health information policy develop- 
ment on data standards, privacy, and computer-based clinical records for both the 
public and private sectors. 

The Committee is made up of 18 members, sixteen appointed by the HHS Sec- 
retary, one appointed by the Speaker of the House and one appointed by the Presi- 
dent pro tempore of the Senate. Members are appointed from among individuals who 
have distinguished themselves in a variety of fields ranging from privacy and secu- 
rity of health information to the provision of health services and population-based 
public health. Four of the current members are practicing physicians. 

As a result of the passage of HIPAA, the nation has the potential to achieve major 
improvements in the quality and effectiveness of health care and the efficiency of 
the health sector through improved information technology. And the law provides 
this opportunity in a national framework that protects the privacy and security of 
health information. The primary focus of the law is on private health insurance re- 
form. However, the provisions on Administrative Simplification outline a new na- 
tional framework for health data standards, security and health information privacy 
in the U.S. 

Today, I will focus on the health information privacy provisions of HIPAA, and 
especially on the NCVHS's recommendations to HHS relating to health information 
privacy. HIPAA required that the Secretary of Health and Human Services submit 
"detailed recommendations" to the Congress "with respect to the privacy of individ- 
ually identifiable health information." In preparing her recommendations, the Sec- 
retary was directed to consult with the National Committee on Vital and Health 
Statistics. Last J une, the NCVHS provided our initial recommendations on privacy, 
confidentiality, and security to Secretary Shalala. She, in turn, submitted her de- 
tailed recommendations to Congress last September. 

Our full report is available on the NCVHS website: http://aspe.os.dhhs.gov/ncvhs, 
and the Secretary's privacy recommendations are available on the HHS administra- 
tive simplification website: http://aspe.os. dhhs.gov. admnsimp. 

NCVHS Health Information Privacy Recommendations 

As a basis for our priva^ recommendations, the NCVHS held six full days of pub- 
lic hearings last year during which we heard from over 40 witnesses. All in all, we 
held over 20 full days of public hearings and heard from more than 200 witnesses 
who discussed data standards, privacy and security issues. The hearings included 
representatives from across the entire spectrum of the health community, including 
the privacy community, research, public health, quality assurance, insurance, man- 
aged care, law enforcement and oversight, providers, claims processors, the drug in- 
dustry, federal agencies and consumer interest groups. This public consultation was 
immensely helpful to us as we formulated our recommendations to Secretary 
Shalala. 

First of all, our hearings showed strong and widespread support for federal health 
privacy legislation. And with the exception of one abstention, all recommendations 
of the committee were unanimous. The committee had difficulty with the definition 
of privacy as it relates to the confidentiality and security of person-specific health 
information. It chose to use the word "privacy" in its report mainly since the word 
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has been the major term used in public discussion of this topic. The culture has yet 
to reach a consensus on what privacy should mean in contemporary society. 

Be that as it may, the committee concluded that the United States is in the midst 
of a health privacy crisis. The protection of health records has eroded significantly 
in the last two decades. Major contributing factors are ongoing institutional changes 
in the structure of the health care system and the lack of modern privacy legisla- 
tion. Without a federal health privacy law, patient protections will continue to dete- 
riorate in the future. 

We also concluded that the importance of trust in the provider-patient relation- 
ship must be preserved. Patients must feel comfortable in communicating sensitive 
personal information. Delays in passing privacy legislation will allow additional and 
uncontrolled uses of health information to develop. Failure to address health data 
privacy concerns can undermine public confidence in the health care system, expose 
patients to continuing invasions of privacy, subject record keepers to potentially sig- 
nificant legal liability, and interfere with the ability of health care providers and 
others to operate the health care delivery and payment system in an effective and 
efficient manner. 

The greater the delay in imposing meaningful controls on inappropriate use and 
disclosure of identifiable health information, the more difficult it may be to generate 
enthusiasm for instituting necessary restrictions on use and disclosure, or change 
the way that information is acquired, maintained, and used. Clearly, with the con- 
tinued development of computer-based patient record systems, it would be best to 
integrate the appropriate security and policy procedures into the emerging architec- 
ture of such systems. 

The NCVFIS recommended that the Secretary and the Administration assign the 
highest priority to the development of a strong position on health privacy that pro- 
vides the highest possible level of protection for the privacy rights of patients. Any 
realistic proposal must properly balance the important and well-established inter- 
ests of patients in the protection of their health information and the legitimate 
needs of the health care system to provide and pay for health care in an efficient, 
effective and fair manner while supporting the responsible use of health records for 
public health and health research, and other legitimate social purposes. 

TheFlealth I nsurance Portability and Accountability Act provides that if the Con- 
gress does not pass privacy l^islation by August 1999, then the Secretary of FI FIS 
is authorized to issue regulations containing standards for the privacy of electronic 
administrative and financial transactions. Flowever, the Committee found a clear 
and strong preference for a comprehensive legislative solution, rather than address- 
ing health privacy through the regulatory process alone. 

It is difficult to address health privacy requirements in a piecemeal fashion. Rules 
that only cover electronic health care transactions but not paper-based transactions 
or other types of health records could prove very difficult to develop or administer. 
Further, the committee firmly believes that policy on data confidentiality and secu- 
rity should not be contingent upon the form, medium, or technology used to record 
or work with health data, e.g., paper, fax, or an electronic medium. 

Consequently, the NCVFIS strongly recommends that the Congress enact a health 
privacy law before it adjourns this fall. Leaders in both Flouse and Senate should 
publicly endorse the need for strong and effective privacy legislation that provides 
meaningful protections to patients. Congressional leaders should ask relevant legis- 
lative committees to agree to a timetable for action. The Congress should not treat 
the existence of the regulatory authority as an adequate alternative to legislation. 

The Committee calls for a law that requires creators and users of identifiable 
health information to 

• ensure a full range of fair information practices, including a patient's right of 
access to records, right to seek amendment of records, and right to be informed 
about uses of health information: 

• accept reasonable restrictions and conditions on access to and use of identifiable 
health information: 

• maintain protections for health information as it passes into the hands of sec- 
ondary and tertiary users so that there are no loopholes that allow health informa- 
tion to escape from privacy controls: 

• provide adequate security for health data no matter what media are used to cre- 
ate, transmit, or store data: 

• accept accountability for actions that affect the privacy interests of patients: 

• promote the use of non-identifiable, coded, or encrypted information when a 
function can be fully or substantially accomplished without more specific identifiers. 

The law must also impose restrictions on disclosure and use of the information 
and impose sanctions for violations. 
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The Committee strongly supports the use of health records for health research 
without a case by case patient consent for access to such data, subject to independ- 
ent review of research protocols and other procedural protections for patients. 

The Committee also strongly supports the use of health records for public health 
purposes, subject to substantive and procedural barriers commensurate with the im- 
portance of the public health functions. 

The Committee believes that patients need strong substantive and procedural pro- 
tections if their health records are to be disclosed to law enforcement officials. 

The Committee strongly supports limiting use and disclosure of identifiable infor- 
mation to the minimum amount necessary to accomplish the purpose. The Commit- 
tee also strongly believes that when identifiable health information is made avail- 
able for non-health uses, patients deserve a strong assurance that the data will not 
be used to harm them. 

The Committee recognizes that the drafting and passage of a health privacy law 
will not be easy. Health privacy legislation presents hard choices and difficult trade- 
offs. Health records are primarily used for the treatment of patients and to improve 
the quality of health care, reduce the costs of health care, expand the availability 
of health care, protect the public health, and assure public accountability of the 
health care system. Privacy competes with all of these objectives, and it will not be 
easy to strike a widely accepted balance between privacy and these other worthy 
goals. As mentioned earlier, the task is not made any easier by the lack of agree- 
ment about what privacy even means in contemporary American society. 

In our hearings, users of health information uniformly expressed strong support 
for privacy legislation. However, most users also asked that no— or at most few— 
new restrictions be placed on their ability to collect, use, and disclose health infor- 
mation. The Committee believes that it is unfair and unreasonable for any health 
data user to expect that health privacy legislation will not require some change in 
policy and practice. Everyone— patients and record keepers alike— will benefit from 
health privacy legislation, and everyone is likely to pay some price for the legisla- 
tion. 

At the same time, the Committee recognizes that privacy legislation must take 
into account the complexity and the needs of the current health care delivery and 
payment system. New legislation must reflect the current structure and legislative 
framework for health care. Changes can and must be made, but no one can expect 
that the health care system will be restructured solely in the interests of privacy 
and without regard to cost. Indeed, achieving cost savings from administrative sim- 
plification was a key driver behind the Health Insurance Portability and Account- 
ability Act of 1996. The Committee has no doubt that a privacy bill can be passed 
that balances the interests of patients with the needs of the health care system. 

The Committee also recognizes that passing legislation will not end either the de- 
bate or the struggle to accomplish desired improvements. Once a law passes, record 
keepers will have to change to accommodate the new rules, federal and state agen- 
cies will have to oversee implementation of the new law, and the Congress may be 
called upon to refine the law in the future. International data protection standards 
are being developed, and the United States needs to be a full partner in this effort. 

Special Issues 

Let me now turn to several additional issues that we heard about in our hearings. 
Need for Anti -Discrimination Law 

One issue that arose from time to time during the hearings was the relationship 
between privacy (as defined by principles of fair information practices) and discrimi- 
nation. Clearly some motivation for protecting health information is to prevent the 
discriminatory use of the information both inside and outside the health care set- 
ting. Patients receiving care for some health conditions or who have been the subject 
of genetic testing have been and continue to be the subject of discrimination in em- 
ployment, insurance, and elsewhere. Several current bills address the possible dis- 
criminatory use of genetic information. 

Discrimination based on health status and condition remains a major and impor- 
tant concern, and it deserves a legislative solution. Whether or not general privacy 
concerns and discrimination concerns should be addressed together in the same 
piece of legislation, you can best decide. However, an already complex health privacy 
and confidentiality bill may not the best place to sort out responses to equally com- 
plex discrimination problems. The Committee suggests that privacy and discrimina- 
tion issues both deserve explicit legislative treatment. The Committee urges the 
Congress to consider legislation expanding the anti-discrimination provisions of 
HIPAA to cover all aspects of discrimination based on health status and condition. 
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Preanption 

Perhaps the mcst difficult conflict identified during our hearings is over preemp- 
tion of state laws. Among large segments of the health industry, a major benefit to 
federal legislation is a high degree of regulatory uniformity throughout the country. 
The interstate nature of health care treatment and payment activities is readily ap- 
parent. By one estimate, approximately half of the U.S. population lives near the 
border of another state. To have a patient work in the District of Columbia, reside 
in Maryland, and receive care in Virginia creates a nightmare for the health care 
system to track unless substantial uniformity of policies and procedures exists. It 
will be difficult for many involved in electronic transfers of health data to accept 
any proposal that does not offer significant relief from the prospect of 50 different 
state laws establishing separate rules. 

On the other hand, it would be difficult for many patient groups, privacy advo- 
cates and perhaps some provider groups to accept any proposal that does not allow 
states to adopt stronger privacy protections as specified in the HIPAA. People dis- 
agree whether existing state laws offer greater protection than most of the current 
federal proposals. There is strong support in some communities for a solid federal 
confidentiality standard that allows states to erect stronger privacy barriers. This 
was the approach that Secretary Shalala recommended last September. 

The Committee suggests, however, that this issue need not be treated as a single 
problem with a single solution. The conflicts need to be broken down into compo- 
nents, and each component analyzed separately. I n some areas, the case for federal 
preemption may be strong. For example, it may be unnecessarily complex to support 
50 different patient access procedures. On the other hand, the need to recognize the 
diversity of state public health laws is already clearly reflected in most proposals. 
No one has suggested or is likely to support a uniform federal public health law. 
A narrower and careful analysis of preemption may help to minimize the admittedly 
strong conflicts here and may point to more effective resolutions. Flowever, if suffi- 
cient national conformity is not achieved, both national and international objectives 
cannot be met. 

The Committee stands willing to respond to such remaining issues in new legisla- 
tion if and as the Congress desires. 

Unique Health Identifier for Individuals 

Because of privacy concerns, the NCVFIS has recommended that FI FIS not adopt 
a standard for unique identifier for individuals as called for in Fll PAA until privacy 
legislation is enacted. The NCVFIS stated that "...it would be unwise and premature 
to proceed to select and implement such an identifier in the absence of legislation 
to assure the confidentiality of individually identifiable health information and to 
preserve an individual's right to privacy." 

The NCVFIS outlined three sets of concerns. First, we noted that the selection of 
a unique health identifier for individuals will become the focus of tremendous public 
attention and interest, far beyond that afforded to other health privacy decisions. 
No choice, the Committee concluded, should be made without more public notice, 
hearings and comment. 

Second, we concluded that, until a new federal law adequately protects the con- 
fidentiality of the health record, it is not possible to make a sufficiently informed 
choice about an identification number or procedure. The degree of formal legal pro- 
tection in such a law will have a major influence on both the decision itself and the 
public acceptance of that decision. Indeed, we would hope that passage of a com- 
prehensive health privacy law would make the choice of an identifier easier, e.g., 
less threatening. 

Finally, the NCVFIS stated that a unique health identifier could not be protected 
from misuses under current law, notwithstanding the criminal penalties for wrong- 
ful disclosure enacted in FIIPAA. 

At the same time, the Committee feels an obligation to address the law and pro- 
vide advice on this controversial matter. Accordingly, we are planning to hold sev- 
eral public hearings around the country to gather information and explore the issue 
further. This will be done in conjunction with the planned publication by FIFIS of 
a Notice of Intent to gather descriptive and evaluative information on unique identi- 
fiers for use in the health system on a systematic basis, including current practices, 
before developing any further recommendations. Lack of unanimity from the com- 
mittee on this topic may occur, reflecting the difficult nature of the problem. 

Computer Technology 

Testimony received by the Committee showed that computers are perceived dif- 
ferently by different individuals and groups. Some view them as major threats to 
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patient privacy and others as tods for offering far greater protection of personai 
heaith data than is achievabie with paper records. In terms of iimiting reiease to 
seiected information, computer-based data offers the greatest potentiai to avoid re- 
veaiing patient identifiers. Others see computerized repositories of heaith data as 
magnets for hackers and other abusers and presume huge heaith data repositories 
are forthcoming. Testimony suggested that the reai threats to computerized infor- 
mation— as with paper records— come from insiders and not from hackers. Unfortu- 
nateiy, this debate is hampered by a iack of sufficient, good heaith services research 
on the frequency and seriousness of probiems in this area. Anecdotai information 
abounds with iegitimate questions remaining as to its vaiidity and representative- 
ness. 

Some have suggested that the patient authorization process shouid be expanded 
and that patients shouid be asked or permitted to make decisions about whether 
their information may or may not be computerized. The Committee is not sympa- 
thetic to the notion that patients shouid have a choice in the technoiogy used to cre- 
ate, store and transmit heaith information. This is not a choice that record subjects 
for records maintained by other third party record keepers such as banks and em- 
pioyers. Requiring heaith record keepers— who are spending vast sums on comput- 
erization— to retain paraiiei paper systems is impracticai and costiy. It would deny 
the benefits and savings that the Congress has already determined will result from 
increased use of modern information technology. 

Computers are an inevitable part of modern health care and indeed are intrinsic 
to the actual delivery of hospital care today. In addition, computer technology can 
provide strengthened confidentiality protections for personal health information. We 
should move on to debate the proper protections for records in a computerized envi- 
ronment. One response would be increased criminal and civil penalties for misuse 
of computerized health records. These penalties should apply to both inside and out- 
side abusers of health data. 

Law Enforcement 

Testimony revealed sharp differences over the standards and procedures that 
should govern law enforcement access to health records. The law enforcement com- 
munity contends that its track record accessing health records is a good one and 
that its access authority is not abused. Some health care providers and privacy ad- 
vocates, however, seek to establish higher standards that would require law enforce- 
ment requests for records to obtain court orders, to provide patient notice, and to 
expressly justify each access to records. 

Several privacy proposals would prevent use of health records against the record 
subject if an investigation of a provider brought to light criminal activity by the pa- 
tient other than health care fraud. 

This is the one major one area where the NCVHS respectfully differs from Sec- 
retary Shalala's recommendations. She recommended no changes to existing laws 
relating to law enforcement access to personal health information. Striking a bal- 
ance between the needs of law enforcement and the privacy interests of patients is 
difficult but a crucial piece of this entire puzzle. 

The Committee believes that patients need strong substantive and procedural pro- 
tections if their health records are to be disclosed to law enforcement officials. I nves- 
tigators should be required to justify the need for patient identifiers and to remove 
identifiers at the earliest possible opportunity. Other HIPAA provisions restrict the 
use of health information against the subject of the record unless the investigation 
arises out of and is directly related to health care fraud. If law enforcement wants 
to use the record in another way, it must first obtain a court order. That is one pro- 
cedural barrier that is also included in several current privacy legislative proposals. 
Other proposals go further by requiring notice to the patient in some cases. 

Conclusion 

The NCVHS calls on everyone to work together in good faith. It is crucial that 
the Congress pass a balanced law as quickly as possible. Each year, health informa- 
tion becomes available for new uses, often without any legal, administrative, or pol- 
icy barriers. Unless legislation passes soon, the risks to both patients and record 
keepers grow. 

Everyone should benefit from a well-crafted set of fair information practices for 
health information. Patients will have new rights and greater protections for sen- 
sitive information. Providers and insurers will have clearer responsibilities and 
rules. Secondary users will know when they can have health information, when they 
cannot, what their obligations are, and what penalties will result if these obligations 
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are ignored. None of these benefits wiii be achieved uniess everyone approaches the 
iegisiative process with a spirit of compromise. 

The NCVHS is pieased to provide a pubiic forum for deliberation and advice on 
these issues, and we look forward to working with HHS, the Executive Branch and 
the Congress on a comprehensive and balanced health information privacy law. 

Thank you, Mr Chairman. I would be happy to answer any questions. 


Chairman Thomas. Thank you very much, Doctor. I guess the 
easiest way to start wouid be to indicate that in your testimony you 
said that Congress shouid not treat the existence of the reguiatory 
authority as an adequate aiternative to iegisiation. 

Wouid you expand on that? Do you have any particuiar concerns 
about the Department of Heaith and Human Service's abiiity to 
promuigate such reguiations? Or is it just too important to ieave 
up to an agency, and Congress' responsibiiity ought to be to grappie 
with this question? What is it that worries you about ietting the 
process go the way the iegisiation is structured? 

Dr. Detmer. The key limitation of the process is that the law, 
as written, covers electronic and computer-based information and 
not paper and other forms, and that is the principal concern. So, 
essentially, the legislation really has a more limited scope. 

The committee also feels the legislation dealing with this more 
broadly can generally craft a better response. 

Chairman Thomas. I have been impressed with the learning 
curve of a number of individuals who have been almost outspoken, 
I guess, advocates for privacy, and their understanding of that. 
Electronic data can, if done properly, be even better protected than 
paper records. 

Do you believe there is any role currently or in the near future 
for a rather directed movement toward electronic rather than the 
keeping of paper records; either carrots or sticks of some sort to 
move more rapidly into electronic recordkeeping? 

Dr. Detmer. Yes. First, I would echo your initial comment, but 
very strong differences of opinion exist about this issue. Those of 
us who have actually work^ in both the paper era as well as, or 
have a professional interest in the electronic approach, feel that ac- 
tually there are a number of advantages to computer-based records. 
You can encrypt it, you can extract solely the information you are 
interested in and move it along, otherwise keeping the rest of the 
record behind. You also have audit trails that can be helpful. 

The point is that with the complexity of health care moving the 
way it is in terms of the technology, the care itself, the medical in- 
formation and such, I think the only way we will have high quality, 
cost-effective care is with computer-based record systems. And, as 
a country, we have not done what we could do to move this tech- 
nology forward. 

A key requirement for progress in this technology relates to what 
we are here today for— privacy legislation is an absolutely essential 
foundation brick needed if we are to see the real benefits of this 
technology develop. 

[The following was subsequently received:] 
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In its administrative si mpiifi cation requirements, the Heaith Insurance Port- 
ability and Accountability Act of 1996 (HIPAA)(Public Law 104-191, Aug. 21, 1996) 
calls for uniform standards for electronic transactions in health administration pre- 
cisely because separate standards developed at other than the national level are not 
workable. 

The Recommendations of the Secretary of Health and Human Services, pursuant 
to section 264 of the Health Insurance Portability and Accountability Act of 1996 
(September 11, 1997), noted that 

[t]here is continuing movement toward a computer-based patient medical record, 
with national standards for content and format, and the possibility of ready inter- 
state transmission as needed for patient care. A major impetus toward adopting this 
type of record was a report of the Institute of Medicine in 1991 that recommended 
adoption of the computer-based patient record as the standard for all patient care 
records. Likewise, increasing use of telemedicine means that patient information 
will often cross State lines, sometimes in real-time delivery of care. This promising 
development is an important facet of the National Information Infrastructure be- 
cause of its potential to provide greater access to quality health care for all Ameri- 
cans, especially those living in rural and remote areas. 

The National Committee on Vital and Health Statistics (NCVHS) last year held 
six days of hearings involving witnesses from the full spectrum of public and private 
constituencies concerned with privacy, consumer interests, and operation of the 
health care system. Testimony received at these hearings showed that "computers 
are perceived both as threats to patient privacy and as tools for protecting personal 
health data. Some see computerized information as the best way to support greater 
use of data without revealing patient identifiers. With traditional paper records, for 
example, the difficulties of creating non-identifiable data are typically significant. It 
may be impractical and very time-consuming to make a complete copy of a paper 
record with all identifying data removed. With a computer record, the administra- 
tive burden of creating anonymized records may be insignificant. Others see comput- 
erized repositories of health data as magnets for hackers and other abusers." Fur- 
ther testimony suggested that 

[T]he real threats to computerized information— as with paper records— come 
from insiders and not from hackers. 

Nevertheless, because of the important and increasing role of computers in health 
care, it is important to be sensitive to both public perceptions and to the possibility 
that abuses of computerized health records will increase in the future. One response 
would be increased criminal and civil penalties for misuse of computerized health 
records. These penalties should apply to both inside and outside abusers of health 
data. 

The Committee noted that it is often overlooked that computers contribute di- 
rectly to improved patient care in many ways, and that debates on the proper role 
of computers and electronic records often focus only on the threats to privacy and 
not the benefits for patients. The committee concluded that a more balanced discus- 
sion about the value and the risks of computers is essential, and 

that we need to do more to develop and implement technological protections for 
health records. Technology offers the possibility that we can use records for socially 
beneficial purposes while fully protecting privacy at the same time. Greater use of 
nonidentifiable, coded, or encrypted records can make everyone better off at little 
or no cost. Technology will not cure all problems related to the use of identifiable 
information, but it can diminish the intensity and scope of the problems. This may 
be the most promising area for additional development. 

The NCVHS has not addressed incentives or disincentives for the keeping of elec- 
tronic records. A new NCVHS workgroup on Computer-based Patient Records may 
address this issue in the future. 


Chairman Thomas. Let me ask the question a siightiy different 
way. Are our efforts enhanced, do we make the job easier or more 
difficuit based upon the way we approach how we are going to ieg- 
isiate; that is, try to deai with the very sensitive question of pri- 
vacy for both individuaiiy identifiabie records and encrypted 
records, whether they be eiectronic or paper; or if we put a serious 
emphasis on trying to create a timeiine in which we move to the 
eiectronic era and then deai with the same concerns about individ- 
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ually identified records? I am wondering which, in your opinion, 
would get us there in the most efficacious way. 

Dr. Detmer. I think if we acted on this issue— if you acted on 
this issue in this session 

Chairman Thomas. I assure you it is going to be "we." 

Dr. Detmer. Well, I would hope so. In any event, if this is acted 
upon in this session, I honestly think the field is moving forward, 
but there are also things that would be in the public's interest that 
the Congress could also do to facilitate the development of 
computer-based health records. 

We have in this country fairly well -developed hospital informa- 
tion systems compared to those for primary care and smaller care 
units. If you look at the United Kingdom or the Netherlands, for 
example, they have put in some tax benefits as well as equipment 
writeoffs that really nave moved that technology forward. 

And, incidentally, they have privacy legislation in place, and the 
populations in both of those countries feel quite good actually in 
that sense about this issue. I am not saying to every last person, 
but as a development I think it is seen as a positive thing. 

Chairman Thomas. The difficulty, of course, is that Great Britain 
is a unitary country and we are a Federal system, and States have 
proper roles to play in a number of areas. Dealing directly with in- 
dividuals, for example, with regard to health and welfare, is one of 
the roles the States have to play which makes our job more dif- 
ficult to bridge those differences. 

I n looking at the information, one of the concerns I think is war- 
ranted by the individuals who do not want to err, who are con- 
cerned on the side of the right to privacy, is the access to those 
identifiable patient records. Does it seem reasonable that if we, for 
example, move toward a system which would allow for a deter- 
mination of who accessed the records, to make that accessing of the 
records available to individuals? 

I know you can place extreme punishment on people misusing 
that information. But I think the most chilling effect often on peo- 
ple misusing that information is to make it easily known as to who 
It is that is accessing those records. That is the first part of the 
question. 

The second part, since that involves enforcement in a very direct 
way, it is too simplistic to view the role of the Federal Government 
and the State legislators as perhaps dividing it along that line; that 
where there are identifiable personal records, that could be a very 
proper and appropriate role for the States to deal with how you 
deal with that information; and the encrypted records, primarily 
for research, far more often travel across State lines, are collected 
for purposes that should have a set of protocols properly approved 
by an appropriate agency? Is that too simplistic a view? 

Dr. Detmer. The difficulty, unfortunately, is we have been get- 
ting testimony in some of our recent hearings in particular that the 
ability to assure the data are securely encrypted, clearly identifi- 
able, or are clearly not identifiable is not likdy to be that airtight. 

The fact of the matter is, almost all of these things can be open 
to manipulation, if you will. The most likely assurance you will be 
getting encrypted or nonidentifiable data, which involves a lot of 
the information, will simply be from the fact that you have strong 
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sanctions in place. People will clearly want to just use nonidentifi- 
able data as much as possible to avoid, obviously, the exposure to 
sanctions for misuse. 

It would be tough to get back directly to your question, to craft 
language in that kind of a dichotomous approach. 

Chairman Thomas. But would you respond directly to the point 
of having the ability to have a clear trail from the identifiable elec- 
tronic data and providing it to, for example, the individual, as to 
who it is that has been looking at the records? 

Dr. Detmer. Yes, I think certainly the trail, the idea of audit 
trails is a protection. It is also true, of course, depending on how 
much information you keep relating to all the trails and who is in- 
volved, that that also then becomes, if it is overdone, yet another 
set of information that could then be abused and hence invade pri- 
vacy. So all of these things have a balance that has to be struck. 

[The following was subsequently received:] 

The NCVHS provided its recommendations on adoption of security standards in 
a ietter to the Secretary, HHS, dated September 9, 1997. In providing a series of 
principies and recommendations for the Secretary's consideration, the Committee 
stated that in order for heaith information systems to be secure, there must be mon- 
itoring of access. Specificaiiy, "[o]rganizations shouid deveiop audit traiis and mech- 
anisms to review access to information systems to identify authorized users who 
misuse their priviieges and perform unauthorized actions and detect attempts by in- 
truders to access systems." 


Chairman Thomas. And then finally, I know it was in your testi- 
mony but I want to underscore it, the administration in making its 
initial proposals placed a privileged category for law enforcement 
agencies, and you voiced some concern about that. 

My assumption is we all understand the importance of that, but 
that in your opinion they probably carved out too big an island, too 
exclusive an approach for law enforcement? 

Dr. Detmer. Yes. With all respect, this was the only area of sig- 
nificant difference between the committee's recommendations and 
the Secretary's recommendations. We urged substantive procedural 
protections. We felt law enforcement should justify their need for 
personal identifiers, remove those identifiers at the earliest pos- 
sible moment, unless needed for fraud investigation, and a court 
order seemed appropriate for access. 

There was a huge array of issues we had to look at. We did not 
spend a detailed amount of time on this, and probably will deserve 
to spend more, but clearly we did differ from the Secretary in that 
and we urged more protections. 

Chairman Thomas. Thank you very much. Doctor. Obviously, we 
will rely on you in your ongoing examination. My belief is this is 
an area that could change relatively quickly in terms of techniques 
that are being developed, especially when we are looking at an Au- 
gust 1999 deadline. At least, I certainly hope so. 

Thank you very much for your input. 

Does the gentleman from Wisconsin wish to inquire? 

Mr. Kleczka. With respect to research currently being done by 
managed care companies, is that being done with the informed con- 
sent of the individuals? 
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Dr. Detmer. Right now we have very much a patchwork of in- 
complete and inadequate protections generally. I think most man- 
aged care companies do in fact— and health care organizations— do 
in fact try to protect the data of patients. Obviously, we do not 
have full information. In fact, one of the problems of this whole 
field is a relative lack of the kind of research base that would be 
very useful to us as a committee, as well as to you in your roles. 

In general, if you have health professionals involved in the work, 
whether it is the quality work or cost effectiveness or whatever, 
utilization work, health professionals have a genuine concern for 
confidentiality. And I am not sure it is always done ideally by 
health professionals, but it has been part of their upbringing from 
the time they got into the health professions. There is a bit perhaps 
less dedication and concern for privacy as you get beyond the 
health professionals themselves. 

[The following was subsequently received:] 

We do not know. The Committee does not have information on this area. 


Mr. Kleczka. Later this year the European Union is scheduled 
to come down with a directive relative to transferring of data to a 
third country, and that directive indicates that they want to ensure 
the level of protection. Currently, does this country meet the cri- 
teria that is set forth in that directive? 

Dr. Detmer. It is not precisely clear to me that it does. If you 
really look at it pretty literally, I would say it does not. This is not 
a formal committee view, that is my own assessment of this. The 
committee has not formally assessed the matter. 

But I do think it is important for us, and it does speak to the 
issue of States' preemption. If we do not have a Federal law that 
is sufficiently recognizable as a national standard, we certainly 
could be open to the clear interpretation that we would not be 
meeting the EU guidelines, and it would prevent us from being 
able to share information for purposes of research and other social 
benefit. 

[The following was subsequently received:] 

The EU directive is a very comprehensive privacy law covering all personal data 
and designates an official with power to regulate private sector use of personal data. 
The U.S. does not have a comprehensive legal scheme of data protection, nor an offi- 
cial who has privacy protection as a sole responsibility on a nationwide, or govern- 
ment-wide basis. Rather, it has a number of separate State and Federal laws, but 
no privacy law generally applicableto all data. 


Mr. Kleczka. What would be the impact on this country in terms 
of trade and research should we not meet the criteria and so forth 
in the directive? 

Dr. Detmer. I have not seen specific estimates, but in terms of 
looking certainly at drug development and other activities that are 
in the public's interest, I think it would have an adverse impact on 
what would otherwise be a desirable thing. 

[The following was subsequently receive:] 
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The impact is not yet dear. It is our understanding that the Commerce Depart- 
ment and the State Department have been involved in discussions with EU staff. 
Within the Department of Heaith and Human Services, the HHS Data Councii is 
surveying its staff and operationai divisions to determine the extent to which indi- 
viduaiiy identifiabie personai data moves from the EU totheU.S. 


Mr. Kleczka. It is your view, at this point at least, we do not 
currently meet the specifics of that directive? 

Dr. Detmer. That is my own personal interpretation, yes. 

[The following was subsequently received:] 

We beiieve that the U.S. may not currentiy meet aii of the criteria of the EU di- 
rective. 


Mr. Kleczka. What is the timing of that? It is supposed to come 
down later this year? 

Dr. Detmer. I do not know the specific time. I could get back to 
you on that, but it is coming alon^ though, that is for sure. But 
exactly specifically 

Mr. Kleczka. I have information the effective date is October of 
this year. 

Dr. Detmer. You sound like you have the information. 

Mr. Kleczka. Thank you very much. 

Chairman Thomas. Does the gentleman from Louisiana wish to 
inquire? 

Mr. McCrery. J ust a couple of questions, Mr. Chairman. 

Dr. Detmer, I want you to expound a little bit on the question 
of preemption of State laws. I am a little concerned about what I 
perceive to be the Secretary's recommendation that we have a na- 
tional law, a national standard, but that we allow the States to 
enact stricter standards. 

How is that going to solve the problem of uniformity? It seems 
to me to be contradictory. Can you expound upon that? 

Dr. Detmer. Well, this is a very complex issue. The committee, 
to the extent it has spoken to this, feels like it is worth splitting 
out this issue and not looking at it in a totally either all Federal, 
no State, or wide open and a weak Federal floor, if you will. 

There may be areas where it might be very wise to in fact allow 
State standards. For example, the area of public health law. The 
States have very well -developed public health laws that have been 
developed in very good collaboration with the Federal Government. 
So I think our general attitude would be you should look at pre- 
emption piece by piece. 

Speaking personally, you are going to be hearing from a witness 
from Minnesota. If you do see, as the Chairman said. States doing 
too much experimentation, 50 points of light in my view is not nec- 
essarily going to give us enough clarity on this. If you have a suffi- 
ciently high standard, the States will not seek to do more. In some 
areas, like public health law, it is probably the best approach to ac- 
knowledge that body of law. 

[The following was subsequently received:] 
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Preemption of state laws was the most difficult conflict identified at the hearings 
we held, and did not yield a clear answer. The NCVHS addressed preemption spe- 
cificallyin its recommendations to the Secretary (J une 27, 1997), as follows: 

Among large segments of the health industry, a major benefit to federal legisla- 
tion is a high degree of regulatory uniformity throughout the country. The interstate 
nature of health care treatment and payment activities is readily apparent. It will 
be difficult for many involved in electronic transfers of health data to accept any 
proposal that does not offer significant relief from the prospect of 50 different state 
laws establishing separate rules. 

On the other hand, it would be difficult for many patient groups, privacy advo- 
cates and perhaps some provider groups to accept any proposal that does not allow 
states to adopt stronger privacy protections as specified in the HIPAA. People dis- 
agree whether existing state laws offer greater protection than most of the current 
federal proposals, but a proposal is not a law so judgments in this area are pre- 
mature. There is strong support in some communities for a minimum federal con- 
fidentiality standard that allows states to erect stronger privacy barriers. HIPAA al- 
ready reflects a policy that stronger state laws should be allowed to prevail. 

Existing proposals differ on preemption. Most preserve existing state mental 
health and public health laws, but the scope of this language is unclear. H.R. 52 
adds a new idea to the mix by allowing states to pass additional restrictions on ac- 
cess to health records by state officials. 

The Committee suggests, however, that this issue need not be treated as a single 
problem with a single solution. The conflicts need to be broken down into compo- 
nents, and each component analyzed separately. I n some areas, the case for federal 
preemption may be stronger. For example, it may be unnecessarily complex to sup- 
port 50 different patient access procedures. On the other hand, the need to recognize 
the diversity of state public health laws is already clearly reflected in most propos- 
als. No one has suggested or is likely to support a uniform federal public health law. 
A narrower and careful analysis of preemption may help to minimize the admittedly 
strong conflicts here and may point to more effective resolutions. However, if suffi- 
cient national conformity is not achieved, both national and international objectives 
cannot be met. 


Mr. McCrery. Can you briefly, if you feel comfortable doing this, 
either on the part of the commission or on your own part, outline 
for us the reasons for having a national standard? 

Dr. Detmer. Well, I think clearly the most critical one in my 
view, speaking as a practicing physician and looking at the fact 
that much of the population in this country lives near State bor- 
ders, if we have stiff penalties in place, let us say a patient works 
in the District, lives in Virginia, and gets their care in Maryland. 
You will have different States which will have different standards, 
with still very stiff Federal penalties. Trying to keep that straight, 
both as a patient and as the provider, it strikes me as really mak- 
ing it very difficult, and we do want to have an effective law. 

If I were just to speak to one thing, that is, in my mind, one of 
the most compelling arguments to be made for strict Federal pre- 
emption. But, again, I would be happy to try to get back to you 
with more specific direction on this very important issue. Without 
question, it is one of the more controversial areas of this legisla- 
tion. 

[The following was subsequently received:] 

The existing iegai structure does not effectively control information about individ- 
uals' health. Federal legislation, establishing a basic national standard of confiden- 
tiality, is necessary to provide rights for patients and define responsibilities for 
record keepers. The Committee's position on this is reflected in its recommendations 
to the Secretary (j une 27, 1997) wherein it made a number of principal findings: 

The United States is in the midst of a health privacy crisis. The protection of 
health records has eroded significantly in the last two decades. Major contributing 
factors are ongoing institutional changes in the structure of the health care system 
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and the lack of modern privacy legislation. Without a federal health privacy law, 
patient protections will continue to deteriorate in thefuture. 

The importance of trust in the provider-patient relationship must be preserved. 
Patients must feel comfortable in communicating sensitive personal information. 

Delays in passing privacy legislation will allow additional and uncontrolled uses 
of health information to develop. Failure to address health privacy will also under- 
mine public confidence in the health care system, expose patients to continuing in- 
vasions of privacy, subject record keepers to potentially significant legal liability, 
and interfere with the ability of health care providers and others to operate the 
health care delivery and payment system in an effective and efficient manner. The 
greater the delay in imposing meaningful controls on inappropriate use and disclo- 
sure of identifiable individual information, the more difficult it will be to overcome 
institutional resistance to restrictions on use and disclosure or changing the way 
that information is acquired and used. On the other hand, the confidentiality of the 
provider-patient relationship and the confidentiality of health records had been the 
foundation by which the health care system helps ensure the best possible health 
care. It is not easy to strike a fair balance between these some times competing con- 
cerns. 


Mr. McCrery. Thank you. That would be helpful, because look- 
ing over your testimony, it is not real clear to me, anyway, what 
your recommendation is. 

Dr. Detmer. ok. 

Mr. McCrery. If you could be more specific, that would be very 
helpful. 

Second question. You talk about needing to guard against dis- 
crimination in a number of areas, including insurance. Most people, 
when they apply for insurance, are they not asked to reveal any 
health conditions that would have an impact? So what is the prob- 
lem on discrimination in insurance? 

If you see that as a problem, perhaps we should move to some 
sort of community rating. That would resolve that. Do you want to 
comment on that? 

Dr. Detmer. We have not talked about the issue of community 
rating as an issue per se. I do think that the very concept of health 
insurance, though, is it is to be something that is there for people 
when they are sick. And if indeed you reveal you have illnesses and 
then you cannot get any coverage, or it is so extravagant or expen- 
sive you cannot afford it, then the very concept of insurance is not 
there. 

At some level this is a very important question and is obviously 
a question that goes beyond the privacy legislation, certainly, but 
I think it is a very critical question: Do people get coverage for ef- 
fective services or not? That is a community rating kind of issue. 

[The following was subsequently received:] 

To the extent that the NCVHS has addressed this matter, its discussions have 
inciuded thefoiiowing points. The reiationship between privacy (as defined by prin- 
cipies of fair information practices) and discrimination is an issue that was raised 
a number of times during the NCVHS hearings iast year. Some motivation for pro- 
tecting heaith information is to prevent the discriminatory use of the information 
both inside and outside the heaith care setting. Patients receiving care for some 
heaith conditions or who have been the subject of genetic testing have been and con- 
tinue to be the subject of discrimination in empioyment, insurance, and eisewhere. 
Severai current Congressionai biiis address the possibie discriminatory use of ge- 
netic information. 

Discrimination based on heaith status and condition remains a major and impor- 
tant concern. Whiie the Committee has not focused its fuii attention on discrimina- 
tion, iegisiative responses are appropriate. It is not dear, however, that generai pri- 
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vacy concerns and discrimination concerns must be or should be addressed together 
in the same piece of legislation. An already complex health privacy bill is not the 
best place to sort out responses to equally complex discrimination problems. The 
Committee suggested in its recommendations to the Secretary (J une 27, 1997) that 
privacy and discrimination issues deserve separate legislative treatment. The prob- 
lems of discrimination are important, but not enough work has been done to explore 
the content of anti-discrimination legislation. The Committee urged the Secretary to 
propose legislation expanding the anti-discrimination provisions of HIPAA to cover 
all aspects of discrimination based on health status and condition. 


Mr. McCrery. Thank you. 

Chairman Thomas. Does the gentleman from California wish to 
inquire? 

Mr. Becerra. Let me ask a question, and this may be somewhat 
premature, since we are trying to figure out what we believe con- 
fidentiality or privacy to be and how we address it, but certainly 
some of what we want to protect will have to be done through stat- 
ute. 

The preemption issue, for example, makes it clearly Federal ver- 
sus State. We will have that dispute. But some areas are probably 
best protected by regulation because they may need to change peri- 
odically and statutes would be too difficult to have constantly 
amended. Do you have any sense right now. Dr. Detmer, what 
areas are clearly best left to regulation versus statute? What 
should we not do? 

Dr. Detmer. That is a very tough question and it is one, obvi- 
ously, I think all the Members of the Subcommittee grappled with. 
I do not question at all the validity of your basic comment. It is 
true that if you put too much in a statute, you do not have the 
flexibility that can come with regulation. 

Clearly, I think we do need a set of basic health information 
practice protections, and those, I think, can be a matter of statute. 
Exactly how those play out over time are appropriately left to regu- 
lation. And certainly as the chair of the national committee that 
has with a nearly 50-year history of advising government, I think 
that the NCVHS committee review process is a wonderful mecha- 
nism by which regulation can became more attuned to the times 
and the needs. 

Here is a group of private citizens serving and giving expertise 
to the Government, having an opportunity to hold hearings for 
wide varieties of folks and then making recommendations. The 
HIPAA legislation in that regard is a very nice model, because it 
did lay out a general picture, but then it also mandated that regu- 
lations would follow based on explicit hearings and the advice of 
this Subcommittee. 

Mr. Becerra. Is there any particular area you could identify for 
us? 

Dr. Detmer. Well, I say certainly basic health information prac- 
tices. I will be happy to get back to you. I think it is a very rel- 
evant and critical question actually to the legislation. 

Mr. Becerra. I think to the degree you can help us set the pa- 
rameters of what we are going to do, if there is something we 
should clearly leave off the table with regard to statutes and limi- 
tations, it would help us quite a bit. 
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Dr. Detmer. Certainly. 

[The following was subsequently received:] 

Both the NCVHS in its recommendations to the Secretary (J une 27, 1997), and 
the Secretary in her recommendations to Congress (September 11, 1997), recognized 
the difficuity in drafting heaith privacy iegisiation and recommended a "safety vaive 
provision." Specificaiiy, the Secretary's recommendations noted: 

We recommend that there be authority to suspend, by reguiation, any provision 
of the iegisiation for a iimited period in the event of an unforeseen significant threat 
to heaith or safety, significant threat to patient privacy, major economic disruption, 
or manifest unfairness. 

The design of precise controis on the use and disciosure of information is a com- 
piex task, and it is possibiethat the iegisiation wouid forbid a disciosure, or other- 
wise constrain behavior, in a way that causes unanticipated hardship. 

Authority to suspend a provision wouid ensure that situations iike this could be 
addressed, on a temporary basis, pending Congressional consideration of amend- 
ments. 

Federal agencies are accustomed to the flexibility provided by the Privacy Act of 
1974, whose routine use provision (5 U.S.C. 552a(a)(7) and (b)(3)) permits agencies 
to make administrative choices to disclose information beyond the disclosures explic- 
itly allowed in the statute. We do not recommend administrative authority as flexi- 
ble as the routine use provision, which appears in a law covering all activities of 
all Federal agencies, and where a statutory catalog of all possible uses of informa- 
tion was not feasible. We recommend a provision to deal with extraordinary situa- 
tions that may have not been foreseen, and then only for a limited time. 


Mr. Becerra. With regard to the whole issue of the data we col- 
lect and how we keep all that information, electronic, paper, and 
so forth, what do you do with the nonprofit, the community-based 
clinic that already survives on a shoestring budget, if we determine 
that the best way to keep information safe is to go toward some 
electronic mechanism? 

How do we help those that are barely surviving to provide health 
care, to now get to the point where they will abide by statute or 
regulation requiring them to provide protection to private informa- 
tion? 

Dr. Detmer. Very good point. It came up in our hearings. In par- 
ticular, we had a hearing out in San Francisco where Los Angeles 
County Hospital came and said. Look, our budgets are so low, the 
idea we can have a very wonderful, which we would like, informa- 
tion system with what many of you might consider really important 
and basic information is simply beyond our means. 

There is clearly cost involved in this issue, and certainly one of 
the main drivers of HIPAA was to in fact save money from admin- 
istration simplification. We again lack the facts and data that 
would allow us, I think, to really know exactly how big a problem 
this will be. We know in some areas trying to do much of anything 
would probably stretch their budget. So there is a tension in here 
and there is a cost in this. 

On the other hand, there is also a general public concern about 
privacy. We need to have a law but we do need to, I think, look 
carefully at the costs that that will impose on people. 

[The following was subsequently received:] 
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Section 1173 of the Health Insurance Portability and Accountability Act of 1996 
(Public Law 104-191, Aug. 21, 1996) requires the Secretary to adopt standards for 
electronic data transactions, but does not mandate that providers exchange informa- 
tion electronically. While issues regarding costs of maintaining and providing infor- 
mation electronically have been raised at its hearings, the Committee has not ad- 
dressed this issue. 


Mr. Becerra. Thank you, Mr. Chairman. 

Chairman Thomas. In regard to that, though, the next panel will 
have some comments, and I find the argument on cost a bit analo- 
gous to the preventive care arguments we had, that wound up with 
us finally spending money according to the budget rules. Everyone 
involved believed that in the long run, a decade, a generation, that 
we would save money on preventive care. With adequate records, 
the investment and the ability to keep really accurate records, that 
a number of areas such as duplicate proc^ures or missed proce- 
dures, that would save customers in the long run, may very well 
be at least offsetting. 

That is not a comfort to someone who has to meet a budget on 
a quarterly or a yearly basis, but we need to look at all aspects of 
the decision rather than just very narrowly someone's quarterly ac- 
counting on the cost of changing the way in which we provide 
records both to the patient and to the system. 

The other point I wanted to make before I ask you a final ques- 
tion, the gentleman from Louisiana's line of questioning is very, 
very pertinent, and I have had an ongoing, mostly positive relation- 
ship with the insurance business trying to convince them that their 
real job is to manage risk, not eliminate risk. 

Dr. Detmer. Thank you. 

Chairman Thomas. Under the current rules, at the same time, 
we ought not to shoot the messenger if what they do is provide us, 
under the current rules, the cost of coverage for particular con- 
cerns. That then becomes an immediate problem for the individual, 
but it becomes a problem for society in examining the way in which 
the current rules operate. 

And that goes to the gentleman from Louisiana's discussion 
about community rating or getting better risk assessment tools 
available to us for making these kinds of decisions, because I do 
not want the industry to pull punches in terms of what the costs 
of these various conditions would be to insure in the current world. 
That allows us to make a realistic decision and not an unrealistic 
one. 

Then, finally, as we get into this area which all of us now I think 
are fairly sensitized to, as to its importance in dealing with pri- 
vacy, we do not have a comprehensive privacy statute on the books. 
The string theory of physics for privacy, I think for a very good rea- 
son. We do have, though, a number of statutes on the books, and 
the staff has listed for me the Privacy Act of 1974, Americans With 
Disabilities Act, the Controlled Substances Act, and most recently, 
the Balanced Budget Act. 

Did the committee review those? And can you give us any lessons 
learned from the implementation of these earlier Federal statutes, 
in terms of their either applicability or the difficulty of converting? 
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One of the things we do around here is take something that has 
worked in the past and apply it to something else. Do you have any 
cautionary words about the way in which we might approach this 
particular area of privacy vis-a-vis what we have done in the past 
and what might be seen as somewhat similar or related areas? 

Dr. Detmer. Yes, and the committee has not explicitly dealt with 
that question, particularly the Balanced Budget Act, which is very 
current. I think the question is a good one and one that I will put 
to the committee. I think it could be useful to you to get back on 
that. 

In general, as an offhand comment, I do not think that the proc- 
ess, being the way it operates, it has been that bad. In fact, it has 
been quite good. 

I do want to respond to an earlier comment, if I might. I think 
my first time to ever testify before you was soon after I had chaired 
the Institute of Medicine study on computer-based patient records 
some years ago, and I want to underscore how much I agree per- 
sonally with what you are saying here. On the basis of that study 
and other work, we will not get to truly value-based, cost-effective 
care, even looking at these issues of cost on insurability and such, 
until we have much finer grain reliable information. That is only 
going to come actually out of computer-based analysis, properly 
done, with the appropriate confidentiality protections in place. 

[The following was subsequently received:] 

The Committee has not examined the Privacy Act or the other laws in any depth 
in developing its recommendations. 


Chairman Thomas. Well, without it I do not see how we can cre- 
ate some outcomes research that providers will need, that we will 
need as smart buyers with the taxpayers' money, but, more impor- 
tantly, providing a body of information to patients so that they can 
be smart consumers as well, which is one of the fundamental ways 
we will keep a control on health care costs. 

Dr. Detmer. Many of us are grateful for your leadership on that. 

Chairman Thomas. The final comment would be to tie in once 
again with the gentleman from California. While you look at these 
various particulars, the other thing I am most concerned about is 
the balance between statute and regulations. Because, obviously, 
given the changing technology, we are not going to be able to write 
a piece of legislation that is probably as flexible as we would like 
for the near term. 

If you could, create some bright lines for us that would be most 
appropriate in legislation versus areas that probably are going to 
be changing and we can review, lock up if necessary in legislation 
in the future, but perhaps might lead to legislation. 

My real worry about that is that as this argument for privacy 
continues, I do want to make sure the Federal statute encompasses 
the basic structure so that there will not be, for want of a better 
term, an end run around what we are trying to do by— particularly 
by States being overly zealous in regulating beyond what is nec- 
essary to create those clear and necessary personal privacy and 
confidentiality protections, but still allowing for the collection of 
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data which will allow us to move forward, both for individuals and 
for medical science. 

[The following was subsequently received from Mr. Detmer:] 

As noted above in response to 09., both the NCVHS recommendations to the Sec- 
retary (J une 27, 1997) and the Secretary's recommendations to Congress (September 
11, 1997) recognized the difficuity in drafting heaith privacy iegisiation and rec- 
ommended a "safety vaive provision." The Secretary's recommendations specified 
that "[w]e recommend that there be authority to suspend, by reguiation, any provi- 
sion of the iegisiation for a iimited period in the event of an unforeseen significant 
threat to heaith or safety, significant threat to patient privacy, major economic dis- 
ruption, or manifest unfairness." 


Any Members have any additional questions? 

The gentleman from California. 

Mr. Becerra. Really quickly, and again this may be premature, 
was there a great deal of discussion of what you do after privacy 
information has been disclosed? What about the person who has a 
mental history and those records are disclosed, or has the AIDS, 
HIV virus? What happens in that case, when the cat is out of the 
bag? Did you propose or discuss what should be the remedy in 
those cases? 

Dr. Detmer. Well, I think we do see, as I say, sanctions that 
should come into play if there are obvious cases of that type. You 
mentioned both mental health as well as HIV, for example. Clearly, 
there are some sets of health information that will expose people 
more than other general data, like a simple blood pressure, pulse 
reading, say. 

The general feeling is that if you really start taking it case by 
case and trying to look at genetic information, or HIV status, or 
mental health data, all in separate kinds of all special sorts of 
cases, that becomes something almost impossible to try to manage 
sensitively and appropriately. The committee's general feeling is. 
Let us put in a very good standard and let us have that standard 
be such that it protects those people, so that in fact your protection 
does not depend on what disease you unfortunately happen to get 
or what problem you happen to have. 

Mr. Becerra. If I could ask this, as you all continue, if you could 
give some close attention to giving us some strong and specific rec- 
ommendations on sanctions, because there will be all sorts of spe- 
cial interests in this trying to fight to either make them very 
strong or very weak, and it would help if we had some good guid- 
ance from those who are examining the whole issue. Give us a 
sense of how strong or how weak we should be with regard to sanc- 
tions, if in fact we find that information is disclosed. 

Dr. Detmer. It is clearly a judgment call. At least I would advo- 
cate that you make them sanctions that really look and feel like 
sanctions, if it looks like a horse and feels lixe a horse. I really 
think that needs to happen. 

I think they really need to be there, but it is still a question of 
levels. And you are right, there will clearly be some pressures to 
make it higher or lower. Again, I will see if I can try to give you 
some advice on that, if I can. 

[The following was subsequently received:] 
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There is clear consensus that there be strong civil and criminal sanctions. A fed- 
eral privacy law should, as recommended by the Committee (J une 27, 1997) and the 
Secretary (September 11, 1997), "provide for punishment for those who misuse per- 
sonal health information and redress for people who are harmed by its misuse. 
There should be criminal penalties for obtaining health information under false pre- 
tenses, and for knowingly disclosing or using medical information in violation of the 
Federal privacy law. Individuals whose rights under the law have been violated 
should be permitted to bring an action for damages and equitable relief." 


Mr. Becerra. Thank you, very much. 

Thank you, Mr. Chairman. 

Chairman Thomas. Looked like a horse and kicked like a mule. 

The key to that is where it is personally identifiable and it is 
electronic, you will know who has done it with the audit trail, and 
that you allow for relatively tough sanctions but the court system 
to resolve a number of those on the intensity. 

We obviously have access to taxpayer funds for medical purposes 
to sanction a number of people who are involved in the medical end 
of it through research or other ways, and a combination of those 
are what we are going to have to look at. 

Dr. Detmer. It is not as though we have no protections or things 
in place at this point. In fact, I think there is quite a bit of interest 
and commitment to this. It is just that we do not have a privacy 
law. 

Chairman Thomas. And to determine which ones appropriately 
match up. 

Dr. Detmer. Exactly. 

Mr. Becerra. The bottom line is, for the patient who has had 
this information exposed, there is little remedy he can do in terms 
of money or some type of civil or criminal sanction against that dis- 
closure to make that person now feel whole. 

I would think we would want to construct something that pro- 
vides swift sanctions and, as you said, it really has teeth. Because 
what you want to do, as you said before, is protect the information 
from ever being disclosed, especially information that is that sen- 
sitive of a nature. 

Chairman Thomas. The gentleman is pursuing a line of deter- 
rence. I understand what you are saying. 

Mr. Becerra. Prevention. 

Chairman Thomas. You probably would not want to go down 
that road in other areas of discussion, but I clearly think a good 
example would be a deterrence. If you have a clear indication of 
someone violating it, a relatively swift and stiff punishment would 
occur, and we will explore those avenues. 

Dr. Detmer. And, in fact, unfortunately many lapses are essen- 
tially a person who has no business doing what they are doing. And 
that is far more the more common area than a problem with the 
technology itself or something else. It is somebody not respectful of 
these kinds of data and the personal harm they do to people. 

Chairman Thomas. Well, thank you very much. This is obviously 
the beginning of a process of producing legislation that will both 
protect individuals' right to privacy and confidentiality of records 
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and also allow us to continue to access them for legitimate medical 
and research purposes. 

Thank you very much, Doctor. 

Dr. Detmer. Thank you. 

Chairman Thomas. We can ask our next panel to come forward. 

This will be Dr. Stephen Borowitz, who is associate professor of 
pediatrics and health evaluation sciences at the University of Vir- 
ginia, Charlottesville; J aniori Goldman, director of the Health Pri- 
vacy Project at Georgetown University; Dr. J ames R. Birge, I be- 
lieve it is, medical director and chief executive officer of the 
MacGregor Medical Association in Houston, Texas. 

Dr. Borowitz, a copy of your full statement will be placed in the 
record. You may proceed in the time available in any way you see 
fit. 

STATEMENT OF STEPHEN M. BOROWITZ, M.D., ASSOCIATE 

PROFESSOR, PEDIATRICS AND HEALTH EVALUATION 

SCIENCES, UNIVERSITY OF VIRGINIA HEALTH SCIENCES 

CENTER, CHARLOTTESVILLE, VIRGINIA 

Dr. Borowitz. Mr. Chairman and Subcommittee Members, my 
name is Stephen Borowitz and I am associate professor of pediat- 
rics at the University of Virginia. In the next several minutes I 
hope to show you how information technology can improve health 
care. 

The practice of medicine is information intensive. Forty percent 
of hospital operating costs result from patient and professional 
communications, and physicians and nurses spend as much as half 
of their time documenting. Yet 70 percent of the time, physicians 
do not have all the information they need. The greatest reason for 
this is that we continue to keep most medical information in a 
paper medical record. 

The paper record today is little different than 50 years ago, de- 
spite an explosion of medical knowledge and technology. Informa- 
tion is not sorted for relevance but rather by source and chro- 
nology, so that critical information may be deeply buried. Increas- 
ingly, the paper record is serving purposes it was not designed for. 
It is the source of medical billing documentation and the principal 
repository for medical-legal information. There is more and more 
information in the record, much of which has little or no direct clin- 
ical relevance. 

When compared to paper records, computerized records provide 
easier and faster access to clinical information. The data are of 
higher quality, always legible, and can be displayed in a number 
of different formats. Many organizations are already developing 
computer-based records. 

This is my younger daughter's record at the University of Vir- 
ginia. This and other systems are searchable. We can search for all 
of the patient's blood counts, and the results are displayed quickly 
on a single screen and can be graphed or analyzed. The system also 
contains text. 

This is a hospital discharge summary of a little girl with ulcera- 
tive colitis whom I care for. Two days after her hospital discharge 
she returned late at night with intestinal bleeding. Because of this 
computerized record, the emergency room physician immediately 
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knew her problem, who should be contacted, and what interven- 
tions were appropriate. 

Computerized records can contain images such as x rays or elec- 
trocardiograms. By being able to view this old electrocardiogram, 
an emergency room physician can determine that this man com- 
plaining of chest pain is experiencing heartburn not a new heart 
attack. 

Perhaps the greatest limitation of the paper-based medical record 
is that it actually does not exist. Every health care provider who 
has ever seen a patient has a separate paper record, and these 
records are viewed as personal notes or reminders rather than part 
of a larger whole. They are often perceived as owned by health care 
providers rather than by the patient. 

An excellent example of the limitations of the paper record is 
childhood immunizations. These are the safest and most cost-effec- 
tive health interventions. Ninety-five percent of children begin the 
recommended series, and 97 percent are fully immunized upon 
entry into kindergarten. However, only half of 2-year-olds are fully 
immunized, yet they are the group at greatest risk for the diseases 
we are trying to prevent. The number of completely immunized 2- 
year-olds would go from 50 to 85 percent if we eliminated all 
missed immunization opportunities. 

The biggest barrier to this is the lack of data. Many children 
change providers or are seen by multiple providers. Half of all chil- 
dren receive immunizations at two or more facilities. This makes 
responsibility for immunizations ambiguous. Who keeps track of 
them and who should be responsible? 

We have attempted to provide this type of information with 
Project Vaccine, a shared computerized immunization data base. 
Here is my younger's daughter immunization record. She is up to 
date. While this system can recommend immunizations, providers 
were resistant to this, so we provide current immunization sched- 
ules. Over the past 3 years, the rate of completely immunized 2- 
year-olds in central Virginia has risen from 58 to 78 percent. 

In addition to recordkeeping, information technology is influenc- 
ing the way health care is delivered. For the past 2 years, we have 
been providing electronic mail consultations across the World Wide 
Web. Here is the e-mail form directed to me. There is a disclaimer 
that the information is being conveyed across the I nternet and may 
not be secure or confidential. 

Over the past 24 months, I have received more than 1,000 con- 
sultations. Here is an example from a parent in rural North Caro- 
lina whose 1-year-old son had chronic abdominal difficulties. Near- 
ly 80 percent of my consultations have been initiated by parents. 

I have received requests from 38 of the 50 States. Clearly, many 
people out there are seeking information. 

I believe information technology is helping to disseminate and re- 
distribute medical information. Information that was previously 
only available to medical professionals is now available to anybody 
with access to a computer. This can only help patients and their 
families to be more active participants in their own health care and 
to make better and more inform^ health care decisions. 

Thank you. 

[The prepared statement follows:] 
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statement of Stephen M. Borowitz, M.D., Associate Professor, Pediatrics 

and Health Evaluation Sciences, University of Virginia Health Sciences 

Center, Charlottesville, Virginia 

Mr. Chairman, Members of the Subcommittee on Heaith, thank you for your ex- 
amination of two crudai and intertwined issues confronting our heaith system: the 
confidentiaiity of medicai information, and the use of computer and communications 
technoiogy to improve patient care. My name is Stephen Borowitz. I am a pediatri- 
cian who speciaiizes in gastroenteroiogy and nutrition and an Associate Professor 
of Pediatrics and Heaith Evaiuation Sciences at the University of Virginia. I have 
iong had interests in how information technoiogy can be used to improve the deiiv- 
ery of heaith care as weli as the deiivery of medicai education. My task today is 
to give you some idea as to the potentiai of information technoiogy to improve the 
coordination of and access to heaith care, and help physicians and other health care 
providers become lifelong learners. 

While I speak today as an individual physician, I must note that the explosion 
of information technologies is reaching deeply into every corner of our nation. Today 
health data can be transferred from facility to facility in seconds, read and inter- 
preted hundreds or thousands of miles away from the patient, stored on a variety 
of disks, drives, tapes, etc. In health care the global village is rapidly arriving, and 
patients in that global village could live in the smallest town in rural Virginia or 
across the world, and be treated by specialists at our Health Sciences Center 
through the use of telemedicine and other technologies. 

I am also a member of the American Medical Informatics Association (AMIA), a 
national organization dedicated to the development and application of medical 
informatics in support of patient care, teaching, research, and health care adminis- 
tration. AMIA's more than 3800 physicians, researchers, librarians, information sys- 
tems managers, and other professionals with expertise in information technologies 
recognize that the enormous potential for computer and communications technology 
to improve health care cannot be realized unless individuals and the society-at-large 
are reasonably certain that safeguards are in place to protect the confidentiality of 
personal health data in medical records. My comments today reflect not only my 
own views as a physician who actively uses technology to improve patient care, but 
also those of many members of AMIA. 

The practice of medicine is information intensive. Nearly 40% of hospital operat- 
ing costs result from patient and professional communication activities. Despite the 
fact that physicians spend more than a third of their time "documenting," and 
nurses spend nearly half of their time "documenting," physicians report that 70% 
of the time they do not have all the information they need to best care for a patient. 

Perhaps the single greatest reason health care providers do not have all the infor- 
mation they need to deliver the best care is that we continue to keep most medical 
information in paper medical charts. Paper medical records have changed little over 
the past fifty years despite an explosion of medical knowledge and medical tech- 
nology. While there are clearly advantages to the paper medical record in that it 
is familiar and portable, this form of record keeping has many limitations. Informa- 
tion in the paper medical record is not sorted for medical relevance. Rather, infor- 
mation in the paper record is sorted first by data source (i.e. medical orders, inpa- 
tient notes, laboratory results, radiology results, nursing notes, etc), and then by 
chronology. This often means that the most important data elements are buried 
within the record rather than being one of the first things a health care provider 
sees when he or she opens that record. 

Increasingly, the medical record is serving purposes it wasn't originally designed 
for. The medical record now serves as the principal source for medical billing docu- 
mentation and the major repository of medical-legal information. This means that 
there has been a tremendous increase in the amount of information within the 
record, much of it with little or no direct clinical relevance. 

While there are many potential obstacles to the development of computer-based 
patient records, such systems can overcome many of the limitations associated with 
paper-based medical records and offer health care providers better information upon 
which to base clinical decisions. When compared to a paper-based record, a com- 
puter-based patient record provides easier and faster access to clinical information, 
the data are of higher quality, clearly legible, and can be displayed in a number of 
different formats. Computer-based patient records can generate prompts and re- 
minders during the delivery of care and provide health care givers with decision 
support and links the medical literature thus integrating the delivery of care with 
the educational process. 

Computer-based patient records can decrease some of the costs associated with 
health care. With a completely searchable record, there will be a decrease in the 
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number of redundant or unnecessary diagnostic or therapeutic procedures that are 
now performed because of incompieteor incorrect information. A computer-based pa- 
tient record can dramaticaiiy reduce the costs associated with the fiiing, transport- 
ing, and copying the paper medicai record and the generation and submission of 
biiis. In iarge medicai centers it costs $8.00 each time a paper record is puiied for 
use and $11.00 to compiete each paper-based biiiing encounter form. 

Perhaps the greatest iimitation of the paper-based medicai record is that it actu- 
aiiy does not exist. The paper-based medicai record is based on the construct that 
peopie are cared for by a singie physician or organization across the continuum of 
care, throughout a iifetime. Given the compiexity of our current heaith care system 
and the mobiie nature of our popuiace, no individuai has a singie "medicai record." 
Rather, every heaith care provider who has ever seen that individuai has a separate 
paper record, even if many of those heaith care providers work in the same fadiity. 
The information within these disparate and uncoordinated paper medicai records is 
often thought of as personai notes or reminders for that heaith care provider or 
heaith care organization rather than as part of a iarger whoie. These separate paper 
medicai records are viewed as being owned by the heaith care provider rather than 
by the "patient" to whom they pertain. 

One of the most iiiustrative exampies of the iimitations of our current paper- 
record based system is chiidhood immunizations. Chiidhood immunizations are per- 
haps the safest and most cost-effective heaith interventions we currentiy have. For 
every doiiar we spend successfuiiy immunizing a chiid, we save $10.00 to $14.00 in 
the future. We know that 95% of chiidren in this country begin the recommended 
series of immunizations: the first immunization is now administered before the in- 
fant ieaves the hospitai. We aiso know that 97% of chiidren in this country are fuiiy 
vaccinated at the time of kindergarten entry iargely because it is required. Flowever, 
oniy 37-56% of two-year oid chiidren are fuiiy immunized despite the fact that these 
are the chiidren at greatest risk for the diseases we are trying to prevent. Numerous 
studies have demonstrated that underimmunization rates among two-year-oids do 
not vary substantiaiiy by ethnicity, geography, socioeconomic status, or heaith in- 
surance status. Chiidren who receive their heaith care from private pediatricians 
are just as iikeiy to be underimmunized as are chiidren who receive their heaith 
care from pubiic heaith departments. Chiidren who have private heaith insurance 
through their parents' empioyer arejust as iikeiy to be underimmunized as are chii- 
dren who have no private heaith insurance. This is primariiy due to a iack of reii- 
abie information. Many young chiidren are seen by muitipie heaith care providers 
or change primary care providers during chiidhood. It has been estimated that ap- 
proximateiy haif of aii chiidren in this country receive their immunizations at two 
or more unaffiiiated heaith care fad iities. This makes the responsibiiity for admin- 
istering immunizations ambiguous. Who keeps track of chiidhood immunizations 
and whoshouid be responsibie? 

We know that without any changes in patient behavior, the rate of compieteiy im- 
munized two year oid chiidren couid be increased from 50% to 85% if the heaith 
care system eliminated aii missed opportunities for immunization. In order to take 
advantage of these missed opportunities, heaith care providers need to have reiiabie 
information upon which to base their immunization decisions. A shared immuniza- 
tion repository couid provide this information. If information regarding a chiid's im- 
munization history were readiiy avaiiabie to any physician treating that chiid, im- 
munizations couid be administered a timeiy fashion. We have attempted to provide 
this information for heaith care providers in Centrai Virginia with VaCCINe (Vir- 
ginia Computerized Chiidhood Immunization Network) . Preiiminary review of the 
avaiiabie data from 16 out of 32 chiid care centers and preschoois throughout the 
Thomas J efferson Fleaith District of Centrai Virginia demonstrates that over the 
past three years, the apparent rate of compieteiy immunized two year oid chiidren 
has risen from 58% to 78%. 

There are no ionger any technologicai barriers to the deveiopment of computer- 
based patient records and many institutions have impiemented portions of com- 
puter-based patient records with varying ieveis of success. Flowever, there are many 
political and organizational issues that must be addressed. We must develop reliable 
means of identifying individual patients while insuring the data in their records are 
secure and confidential. 

There is little evidence that health care providers or health researchers misuse 
health information. While there are genuine concerns about unauthorized public re- 
lease of personal information or the misuse of personal medical data by employers, 
insurers or others to discriminate against or otherwise harm an individual, at the 
same time it is crucial to recognize that access to all relevant patient-specific health 
care data is essential for those engaged in the provision of care, or in research to 
advance medical science and improve human life, or in the direction of public health 
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O rams and the protection of public safety. In the end, legislation governing 
th information must protect not only the confidentiality of individual medical 
records but also the ability of health professionals to provide care, conduct research, 
and prevent disease in a manner that benefits the entire population. Health infor- 
mation standards must thoughtfully and carefully balance the rights of the individ- 
ual, the capacity of the health care system to provide needed care, and the interests 
of our nation as a whole. 

Issues of security and confidentiality are not unique to computer-based patient 
records. Paper medical records are far from secure. Paper medical records are often 
kept in relatively open public areas to afford ready access. Moreover, because of the 
way information is stored in the paper medical record, it is not possible to "seques- 
ter" certain types of information from individuals who have access to that record. 
Anything that is in the paper record can be seen by anybody. Moreover, there is 
no means of creating an audit trail of who accesses a paper record, or what they 
do once they have the record. 

A common concern about computer-based patient records is that they may less se- 
cure and confidential than paper medical records. However, a computer-based pa- 
tient record can be made more secure than a paper medical record through the use 
of authentication and authorization, and the maintenance of audit trails. Authen- 
tication refers to a process that verifies the identity of the user. This can be by 
something the user knows (mother's maiden name, ID, password), something the 
user has (a key, a smart card, a token), by something related to who the user is 
(signature, fingerprint, voiceprint), and/or by something indicating where the user 
is (an IP address, a phone number, a hardware configuration). Authorization refers 
to a process whereby the information and services a user can have access to are lim- 
ited based upon attributes of the user, attributes of the data, and/or attributes of 
the request. Finally, the use of audit trails can serve as strong and important deter- 
rents to breaches in confidentiality if strong enough sanctions are employed. An 
audit trail is a record of information access events and can include the identity of 
the requestor, the date and time the request was made, the source and destination 
of the request, a description of what information was retrieved, and what the reason 
was for retrieving the information. Organizational policies and practices are at least 
if not more important than technological mechanisms in protecting health informa- 
tion and patient privacy. 

In addition to record keeping and access, information technology is influencing the 
way that health care is delivered. Quality health care is dependent upon good com- 
munications between physicians and patients. Successful communication results in 
the patient's understanding of the diagnosis and increased compliance with thera- 
peutic recommendations and interventions. I n addition to face to face and telephone 
contact, rapid written communication through electronic mail (e-mail) is now widely 
available to patients and health care professionals. E-mail can provide patients with 
a direct means of communicating with physicians and assuring them that their mes- 
sages are received and read. E-mail provides physicians with the ability to follow- 
up or clarify advice that was provided during an outpatient visit and messages can 
direct patients to educational materials or other resources available on the Internet. 

As of late 1996, nearly 25% of people beyond 16 years of age in the United States 
have access to the Internet and at least 15% of the U.S. population was using e- 
mail. In certain regions, one fourth of patients usee-mail to communicate with their 
health care providers. Those patients who utilize e-mail to communicate with physi- 
cians perceive this means of communication as not only more convenient and faster 
than telephone communication, but also as increasing their access to medical care. 

While e-mail is generally viewed as a good means of communicating simple infor- 
mation and non-urgent requests between physicians and patients (i.e. refilling pre- 
scriptions, communicating laboratory results, or making appointments), up to 90% 
of patients who use e-mail to communicate with their physicians relay important 
and sensitive medical information electronically. 

Beginning in November of 1994, the Children's Medical Center at the University 
of Virginia instituted a pilot program of providing electronic mail consultations in 
selected pediatric subspecialties (http://www.med.virginia.edu/docs/cmc/ 
giconslt.html). A disclaimer was included at the top of the form alerting people that 
since the information contained within the form would be conveyed across the I nter- 
net, it might not be secure. All consultation replies included a copy of the original 
consultation request as well as a disclaimer to the effect that since the patient had 
not been physically examined and the entire history had not been obtained, the va- 
lidity of the response might be limited. 

Between November 1, 1995 and February 28, 1998, the Division of the Pediatric 
Gastroenterology at the Children's Medical Center of the University of Virginia re- 
ceived 938 electronic mail consultation requests. During this 28-month period, an 
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average of 33.5 ± 11 consultation requests was received each month with a range 
of 14 to 68 requests. There has been a slow but steady increase in the number of 
consultation requests received each month. 

The greatest number of consultation requests were initiated by parents or guard- 
ians (79%), however 11% of the requests came from physicians and another 10% 
came from other health care professionals such as nurses, pharmacists, or res- 
piratory therapists. 

85% of the consultation requests originated within the United States. During the 
28-month period, consultation requests were received from 38 of the 50 U.S. states. 
Only 8% of all consultation requests originated in the states of Virginia or West Vir- 
ginia, which comprise our traditional referral area. 15% of the consultation requests 
originated from sites outside of the United States; consultation requests were re- 
ceived from 37 different countries. Outside of the United States, the most frequent 
international source of consultations was Canada, followed by Australia, the United 
Kingdom, and Argentina. 

The large number of consultation requests we received from parents and guard- 
ians suggests that their primary health care providers do not always meet a family's 
information needs, or that they are dissatisfied with some of the information they 
have received. This dissatisfaction is further highlighted by the observation that 
nearly half of patients use some form of non-conventional medical therapy, often 
without consulting with or informing their primary care physician. As a group, par- 
ents seeking non-conventional medical therapies for their children are well-educated 
professionals, precisely the group of people who have ready access to the Internet 
and e-mail. 

Many parents appear to be very comfortable seeking medical information from rel- 
atively anonymous "electronic consultants." This form of electronic communication 
provides people with a means of identifying qualified consultants outside of their 
local health care system and to communicate with these consultants directly without 
numerous layers of administrative bureaucracy. According to many of the families 
who consulted us, e-mail communications with an anonymous "electronic consult- 
ant" are less intimidating than face to face conversations with time-pressured physi- 
cians. E-mail enabled many parents to ask questions that they were otherwise too 
timid to ask. This may in part be due to the mode of communication. E-mail is a 
hybrid between written and spoken language. It allows people to choose their words 
carefully without the pressures of time or place. Response time with e-mail is sub- 
stantially shorter than with written letters and yet e-mail offers more permanence 
than a face-to-face or telephone conversation. 

The public's increasing interest in online medical consultation reflects the chang- 
ing nature of our health care delivery system. The rapid growth of electronic com- 
munications has paralleled the shift towards giving patients more responsibility for 
their own health care decisions. As the public has become better educated, they 
have become accustomed to seeking information about health care from printed 
media. It is only natural for them to turn to electronic sources of information such 
as Web sites and, when they have further questions, to contact web-site authors. 
More and more people in the United States receive their health care through man- 
aged care organizations which limit access to specialists and specialized treatments. 
This means that patients and their families have new incentives to find alternative 
sources of expert medical opinion, and when they go outside of their health care net- 
work, to seek the most time and cost-effective means of diagnosis and therapy to 
minimize their own out-of-pocket costs. 

Given the complexities of the communication process, there are always potential 
misunderstandings when physicians and patients exchange medical information. 
The potential for misunderstandings may be magnified when medical information 
is exchanged across the Internet. The information could be based upon incomplete 
or incorrect assumptions, the information could be misinterpreted, it could be incor- 
rect or out-of-date, or it could be more up-to-date than information provided by an- 
other physician. Given the wide variation in practice patterns, situations may arise 
in which an online consultant will disagree with the advice of another physician. 
In the United States, the law dealing with interactions between physicians and pa- 
tients over the Internet has not been well defined. Potential l^al issues include 
physicians practicing without licensure in the state or country in which the patient 
resides, alleged medical negligence, and abandonment of patients should the con- 
sultant not continue the relationship. 

The availability of vast amounts of medical information on the World Wide Web 
can have important implications for the future of our health care system. One au- 
thor has called this "the next transformation in the delivery of health care." This 
dissemination and redistribution of medical information may influence public per- 
ceptions of the standards and quality of care and the nature of the doctor-patient 
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relationship. Medical information on the World Wide Web can help health care pro- 
fessionals educate their patients, learn more about patients' concerns and fears, and 
help patients make better and more informed decisions about their own health care. 

While information technology is already helping to reshape our health care sys- 
tem, it can also help us change some of the paradigms of health care. I n our current 
environment, the practice of medicine, continuing medical education, and clinical re- 
search are separate and somewhat independent enterprises. The innovative develop- 
ment and use of information technology and computer-based patient records can 
help us int^rate clinical care with clinical research and lifelong learning while 
helping patients and their families to be more active participants in their own 
health care and make better and more informed decisions. 
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Chairman Thomas. Thank you very much, Doctor. And I will ac- 
knowledge I am the one who borrowed the information from your 
written statement to talk about the preventive aspects. 

Ms. Goldman. 

STATEMENT OF J ANLORI GOLDMAN, DIRECTOR, HEALTH 
PRIVACY PROJ ECT, INSTITUTE FOR HEALTH CARE 
RESEARCH AND POLICY, GEORGETOWN UNIVERSITY 

Ms. Goldman. Good morning, and thank you very much for the 
opportunity to testify here today. I am very pleased the Sub- 
committee is focusing on this issue and prepared to move ahead, 
as Congress now has set a time limit on itself. 

One of the questions that was asked earlier about existing pri- 
vacy laws I think is an important one as we view this in the con- 
text that we do have an existing body of privacy statutes. And 
while they are not terribly consistent or related to each other, in 
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some ways they do bear, I think, certain commonalities. I would 
hope that when we look at crafting a medical privacy law, we try 
to put it within the context of those existing privacy laws and, as 
you said, to learn something from what we have already done. 

What Congress has recognized is that medical privacy is a criti- 
cal issue and we need to move forward within a certain pericxi of 
time to pass legislation, and that if we are not able to do that, if 
we are not able in this bcxiy to reach some kind of consensus and 
move forward, the Secretary will then handle this as a regulatory 
matter. I do think Congress has a greater role in terms of setting 
enforceable rules and having remedies and enforcement mecha- 
nisms in place. We do have an important opportunity to do that 
work here. 

We have seen a much greater urgency in this area, even in just 
this past year. The recent stories involving the disclosures by CVS 
and Giant, I am sure many of you saw reported in the papers in 
the last few weeks, showed we are dealing in an unregulated envi- 
ronment. There is not now an existing Federal law protecting peo- 
ple's medical records. 

So while people are not necessarily acting with malice, there are 
considerations that are being given when information is disclosed 
that are not patient-fcxused, that are not fcxused on what is best 
for the patient or that do not directly involve the patient. So the 
response on the part of the public to those disclosures by CVS and 
Giant was very swift, very angry, and in fact both of those compa- 
nies took out ads in the Post to say that they were stopping the 
practice altogether. Not trying to fix it, but stopping it all together 
until they could recoup some public confidence and decide how, if 
at all, they could move forward with compliance and marketing 
programs. 

One of the things I would like to suggest here this morning is 
that the way we have looked at privacy in the last decade in this 
area has been to view it in conflict with achieving public health 
goals. So that when we talk about privacy, we often talk about the 
costs associated or we see it as a barrier to getting access to data 
for research purposes or public health purposes. I do not think that 
has been a useful formulation, and I do not think it is an accurate 
formulation; such a view keeps us from developing the consensus 
we need. 

One of the things I found is that exactly the opposite is true. Pri- 
vacy is not a barrier to achieving public health purposes, public 
health initiatives, and improving access to data for research. In 
fact, it is the opposite. Privacy is necessary for getting good quality 
data, complete data, and accurate data for use for those public 
health purposes. 

I want to spell out a few of those areas. When people do not trust 
that when they go to their doctor the information they are sharing 
will be handle in a confidential way, they do start to engage in 
certain privacy protective behaviors which have some very serious 
consequences. It has serious consequences for the individual, be- 
cause if they do not accurately and fully share information, the doc- 
tor then does not have data he or she needs to accurately diagnose, 
to accurately treat. So the patient's care is undermined right there 
in the doctor's office. 
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But, also, doctors then are not transmitting accurate and com- 
plete data on claims forms, the encounter data that the insurance 
industry relies on in doing the outcomes analysis that researchers 
rely on in doing their studies, that public health officials rely on 
in doing their studies and creating population data bases. So when 
we do not protect the information at the front end, it is under- 
mined at the back end. We need this accurate and complete data. 
And I would say we need to give people some assurance that the 
data will be protected so that they will fully share information. 

One of the things we have seen is that the health care environ- 
ment is changing so dramatically. There was an editorial in Sun- 
day's Post that talked about privacy being a moving target and 
that the industry is developing so quickly, so rapidly around infor- 
mation uses and yet there are no enforceable rules in place. What 
I want to do is suggest that there are some key principles that can 
be built into a health privacy proposal. 

We do not have unanimity amongst all of us as to exactly how 
that language should be written, but I want to suggest that there 
are some key principles on which we do agree that we need to ad- 
dress. One is the very basic issue of giving people access to their 
own medical records, a fundamental right which only half the 
States in this country currently protect. 

We need to have limits on disclosure. We need to be able to say 
what information should be disclosed, how individuals make mean- 
ingful, informed voluntary choices by giving them notice of how in- 
formation might be used, and having them sign authorization 
forms. 

Research, I think, is a tough area, as Dr. Detmer has said. One 
of the things that is important to acknowledge is that we do have 
Federal rules in place right now that apply to federally funded re- 
searchers, and those rules require an institutional review board to 
look at informed consent, to look at when there is an appropriate 
waiver of informed consent, if identifiable data is to be used, and 
I would suggest we take those Federal regulations and apply them 
across the board. There would be fairness and uniformity, and all 
researchers, not just those receiving Federal funds, should have to 
comply with those regulations. 

The Minnesota law is a source of some concern for folks. And 
while I agree it is the most restrictive law in this area, there have 
been studies done by the Mayo Clinic that show where consent is 
asked by patients for identifiable data, only 4.5 percent, on an av- 
erage or people who are asked, decline. Four and a half percent of 
the people withhold their permission for use of the information. 

Law enforcement. We need to have rules on government access 
to individual data. Right now every privacy law that exists on the 
books has a law enforcement limitation, and that is required by 
constitutional principle. It is the right thing to do. 

Remedies. We need to have strong remedies and enforcement 
mechanisms. 

I want to address the issue of preemption. I know it is on peo- 
ple's minds. We are dealing in a difficult area, because if we look 
at precedents of privacy laws, we currently do not ever preempt 
law in the civil rights and civil liberties area. In fact. Congress has 
been concerned about preempting State laws. 
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In the medical privacy law, we have a particular problem in that 
we do not know what laws we would be preempting. There does not 
yet exist a comprehensive survey of existing State privacy laws. 
They are located in all different areas of the State code, from public 
health to consumer protection to insurance regulation. 

We need to have a better handle on what we would be preempt- 
ing, and we need to look at whether we can determine preemption 
on a case-by-case basis, look at particular issues, and whether 
there is a justification for a carve-out in those areas. Right now 
there is compliance with existing State laws, so people are func- 
tioning in this environment even though it may not always be the 
most convenient. 

Let me quickly mention some of the other issues. 

Discrimination. We have an opportunity in crafting a privacy law 
to in some ways create the first line of defense against discrimina- 
tion. We have the Americans With Disabilities Act, but nothing in 
that law prohibits an employer from getting access to the health 
information. A privacy law would do that. So it would prevent, in 
some ways, the temptation for using that information for discrimi- 
nation. 

The technology is a critical issue you have all talked about. We 
have a chance with the increased technology to better protect infor- 
mation, to create more security for data, and to recognize that 
paper records are essentially a fairly unprotected realm. If we need 
it, we can take advantage of the security opportunities we have. 

And, overall, any health privacy law should create incentives to 
use nonidentifiable data. We should ask the question which we do 
not now ask: Do we need identifiable data in a particular project? 
Can we get by with nonidentifiable data? And by creating those in- 
centives, we would take certain people out of the scope of the law 
and remove the concern. 

I know this is not an easy challenge. We have worked on this 
issue for a long time, but I think we now have the increased politi- 
cal will to move forward. 

At bottom, Americans should not have to worry when they go to 
the doctor, fill a prescription, file a claim form, or they get a job 
and do a preemployment physical; they should not have to worry 
their privacy is going to be put at risk. They should be able to fully 
share information with their doctors and not worry they are going 
to have their care threatened or their employment threatened. 

We will know that we have really made some progress here when 
we protect our medical records as well as we protect our video rent- 
al lists. 

Thank you very much. 

[The prepared statement follows:] 

statement of J aniori Goldman, Director, Health Privacy Project, Institute 
for Health Care Research and Policy, Georgetown University 

I. Introduction and Overview 

Mr. Chairman and Members of the House Ways and Means' Subcommittee on 
Heaith: I very much appreciate the invitation to testify before you today on patient 
confidentiaiity. 

In December 1997, I launched the Health Privacy Project at the Institute for 
Health Care Research and Policy at Georgetown University Medical Center. Prior 
to creating the Project, I have focused on privacy and technology issues— parti cu- 
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larly health privacy— for over a decade, as co-founder and Deputy Director of the 
Center for Democracy and Technology, and as Director of the Privacy and Tech- 
nology Project of the American Civil Liberties Union. 

At present, there is no comprehensive federal law to protect the privacy of peoples' 
health records. However, most people mistakenly believe there is a federal privacy 
law that safeguards their medical records, and they believe the law gives them the 
right to access their own medical records; they are shocked when informed other- 
wise (Louis Harris &amp: Associates, Health Information Privacy Survey, 1993). 
The recent debacle involving CVS and Giant Food selling customer prescription data 
to drug manufacturers for target-marketing and customer tracking— and the public 
outrage expressed over this practice— is another loud and clear call for Congress to 
enact a strong health privacy law to protect people against such unauthorized use 
and abuse of their personal medical records. 

I believe health privacy is one of the most important health issues facing our na- 
tion: it is critical to improving health care, and fostering valuable public health ini- 
tiatives. Fortunately, Congress recognized the urgent need for enforceable health 
privacy rules, and set itself a time limit in the Health I nsurance Portability and Ac- 
countability Act of 1996 to pass health privacy legislation by August 1999. 

There are a number of proposals before the House and Senate with regard to med- 
ical privacy. Representative J im McDermott (D-WA) and Representative Gary 
Condit (D-CA) have both reintroduced their bills from last Congress without signifi- 
cant change: "Medical Privacy in the Age of New Technologies Act of 1997" (H.R. 
1815) and the "Fair Health Information Practices Act of 1997" (H.R. 52), respec- 
tively. In the Senate, under consideration are: 'The Medical Information Protection 
Act of 1998," (discussion draft 2/19/98) co-authored by Senator Robert Bennett (R- 
UT) and Senator] amesj effords (R-VT), and 'The Medical Information Privacy and 
Security Act," (S. 1368) introduced by Senator Patrick Leahy (D-VT) and Senator 
Edward Kennedy (D-MA). Last week President Clinton released the Administra- 
tion's proposal for a patients' "Bill of Rights," which includes a broad confidentiality 
provision. 

There is a long history of congressional efforts to craft health privacy legislation, 
but, as yet, we have fallen short of achieving the necessary consensus. I believe we 
must take the critical next step to move away from viewing privacy and health ini- 
tiatives as values in conflict, and towards viewing privacy as a k^ element in en- 
suring the success of health care goals. I n my statement, I outline a new framework 
for addressing privacy in the larger health care arena as an ultimate good, which 
will foster patient trust and confidence in the doctor/patient relationship, and en- 
hance the quality of patient data needed for improving patient care, research, and 
public health initiatives. 

II. The Value of Privacy to Individuals and Communities 

The potential benefits to individuals and communities from the emerging global 
information infrastructure are well documented. More and more, people are commu- 
nicating, receiving information, and engaging in commerce through the Internet, 
often with little regard for local and national borders. Individuals, governments, li- 
braries, universities, hospitals, museums, corporations, and non-profits are expand- 
ing their activities to include the use of the Internet and other interactive commu- 
nications technologies. 

But there is a darker side to the "Information Age" that threatens to undercut 
the growth and promise of these powerful new developments. The same medium 
that makes possible the instant global communication and sharing of information, 
also provides people with the capacity to generate, capture, store, and reuse a tre- 
mendous amount of personal information. On a daily basis, applying for a driver's 
license, seeking credit, talking with a doctor, passing through a toll on the turnpike, 
making (or receiving) a phone call, subscribing to a magazine or joining an organiza- 
tion, logging on to a website, or even buying a small item with cash, often requires 
that people divulge a tremendous amount of detailed, sensitive information. 

The primary issue here is not the use of the person's information for the purpose 
for which it was collected (evaluating credit, issuing a driver's license, providing 
medical care), but the unanticipated, secondary disclosures of the person's informa- 
tion. Over the course of a person's lifetime, the record of one's life collected through 
distributed and largely unregulated networks can make real the "womb-to-tomb dos- 
sier" that Harvard Professor Arthur Miller warned of over thirty years ago. Once 
personal information is collected for one purpose, the temptation to use it for other 
purposes is often irresistible. 

In a joint statement last year. President Clinton and Vice-President Gore ac- 
knowledged the public's fear of losing privacy: "Americans treasure privacy, linking 
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it to our concept of personal freedom and well-being. Unfortunately, the [Global In- 
formation Infrastructure's] great promise that it facilitates the collection, re-use, 
and instantaneous transmission of information can, if not managed carefully, dimin- 
ish personal privacy. It is essential, therefore, to assure personal privacy in the 
networked environment if people are to feel comfortable doing business." 

Significant social, political, and economic consequences can result from our soci- 
ety's failure to preserve privacy. If people continue to lose control over their ability 
to choose when, what, and to whom to divulge personal, sensitive information, they 
will be reluctant and unwilling to step forward and fully participate in society, fear- 
ing unwanted exposure, judgements, discrimination, surveillance, stigma, and loss 
of jobs, credit, housing, or family. A continued failure to protect the privacy of per- 
sonal information in a variety of spheres— most notably health— will undermine peo- 
ples' ability to fully participate in social, political, and commercial activities. 

III. Privacy and Health Care 

A lot of attention has been paid in recent years to how to improve health care 
in this country, but a critical element that is often overlooked and misunderstood 
is the role privacy and confidentiality plays in the health care setting. Nearly every 
facet of health care— from health care delivery, to payment, prescribing medication, 
outcomes analysis, research, and marketing— is undergoing dramatic changes as our 
society moves towards managed care and the development of integrated health data 
networks. As a recent editorial in The New York Times observed, "Preserving pri- 
vacy in the ever-expanding world of electronic medical records is a daunting task 
that health care organizations and public policy makers have been slow to address. 
But as managed care puts more information into more hands, consumer anxiety 
over confidentiality makes the issue unavoidable." 

A number of factors lead to privacy being viewed by some as being in conflict with 
other health care endeavors. These factors range from fear that addressing privacy 
at the patient level will lead to a diminution in the quality and quantity of health 
data made available, to concern about a lack of knowledge and tools to apply in pro- 
tecting personal health information in both electronic and paper form. Anxiety ex- 
ists among some downstream users of health information that protecting patient 
privacy means people will always choose to lock up their medical records in their 
doctors' offices. 

Some of those who fear privacy will reduce the flow of valuable patient data claim 
that: 

• There is an overriding public interest in furthering their activities which 
trumps any individual privacy claim; 

• People will not be able to responsibly exercise any decision-making authority 
over their own information— in other words, they will not understand (or care about) 
the larger social good to be gained by the use of their information: 

• There are no horror stories of improper use or disclosure of personal medical 
information for which they are responsible: 

• The complexity and cost of putting privacy and security safeguards in place are 
too burdensome, and will choke the flow of identifiable health data needed for 
health care-related initiatives. 

At bottom, some health care organizations are concerned that health privacy regu- 
lation will go too far on the confidentiality side, and thus have a negative impact 
on beneficial health efforts. There is a fear that protecting privacy will clog the free 
flow of health information, and make less information available for outcomes analy- 
sis, research, public health activities, and other health-related purposes. 

Ultimately, the converse is true: without trust that the personal, sensitive infor- 
mation they share with their doctors will be handled with some degree of confiden- 
tiality, patients will not fully participate in their own health care. In the absence 
of such trust, patients will be reticent to accurately and honestly disclose personal 
information, or they may avoid seeking care altogether for fear of suffering negative 
consequences, such as embarrassment, stigma, and discrimination. Along the contin- 
uum, if doctors and other health care providers are receiving incomplete, inaccurate 
information from patients, the data they disclose for payment, research, public 
health reporting, outcomes analysis, and other purposes, will carry the same 
vulnerabilities. 

Initiatives to improve public health and reshape health care— such as community 
health information networks, managed care, telemedicine, outcomes analysis, dis- 
ease management, the creation of population data bases— could not exist, let alone 
flourish, without access to complete and reliable information. However, the current 
lack of privacy and security protections for personal health information threatens 
to undermine significantly the quality of care people receive, as well as the accuracy 
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and reliability of the information being collected and used for outcomes analysis, 
cost effectiveness studies, research, and public health activities. 

I urge that we abandon the current dialogue that places privacy and public health 
initiatives in conflict. A new framework is needed that intertwines the values of pro- 
tecting patient privacy and fostering health care initiatives. At this juncture, let us 
treat patient privacy as a "first principle" of ensuring quality of care for individuals 
and their communities. Ideally, within such a health privacy framework, identifiable 
information patients choose to disclose outside the four walls of their doctor's offices 
would be more accurate and complete, and thus create more reliable data for use 
by doctors, researchers, and others working to enhance the quality of health care. 
By expanding our focus to incorporate privacy as an ultimate good to be achieved 
in the health care arena, we may better advance our health care initiatives. 

IV. The Role of Privacy in Care and Research 

Again, without trust that the personal, sensitive information they share with their 
doctors will be handled with some degree of confidentiality, people will not fully par- 
ticipate in their own health care. In turn, information that lacks integrity at the 
front-end will lack integrity and reliability as it moves through the health care in- 
formation environment. Therefore, protecting privacy must be an integral part of 
both ensuring good health care to individuals and improving the health of the larger 
community. If people worry that their most sensitive information will not be treated 
confidentially by their doctors, and may be disclosed without their knowledge and 
permission to their employers, pharmaceutical companies, or marketers, these peo- 
ple are likely to engage in privacy-protective behavior, such as withholding informa- 
tion from their doctors, paying out-of-pocket for services to which they are entitled 
or avoiding health care altogether. Anxiety on the patient's part over unknown and 
coerced uses and disclosures of their records— even for altruistic purposes— leads 
people to withdraw from full, honest participation in their care. This privacy-protec- 
tive behavior serves to both jeopardize peoples' health care, as well as undermine 
the health care initiatives that rely on high-quality information. 

In many ways, the relationship between people and their doctors bears the great- 
est burden in the health privacy debate: this relationship is the "hot spot," the origi- 
nating point on the health information continuum. Patients are beginning to under- 
stand that the open-ended waivers for disclosure they sign as a condition of receiv- 
ing health care and reimbursement for services leave them vulnerable to a wide 
array of uses and reuses of their health information. It is here, in the first and sub- 
s^uent encounters with a particular provider, that a person decides how much to 
divulge, and whether that provider can be trusted. There are many factors that af- 
fect a person's trust and confidence in his or her doctors, and it is that level of trust 
that ultimately determines the degree of willingness to fully divulge health and 
other personal information. 

The public has consistently expressed a high degree of concern over the vulner- 
ability of their privacy, in particular the lack of protection for their personal health 
information. Decades of survey research conducted by Louis Harris &amp: Associ- 
ates document a growing public concern with privacy. The 1995 Harris poll found 
that 82% of people were concerned about their privacy, up from 64% in 1978. 

A Health Information Privacy Survey released by Harris in 1993 found that the 
majority of the public (56%) favored the enactment of strong comprehensive federal 
l^islation to protect the privacy of health care information. In fact, of that majority, 
eighty-five percent (85%) responded that protecting the confidentiality of medical 
records was absolutely essential or very important to them. An overwhelming per- 
centage wanted penalties imposed for unauthorized disclosure of medical records 
(96%), guaranteed access to their own records (96%), and rules regulating third- 
party access to personal health information. 

Harris' 1996 survey elicited a disturbing public view of researcher use of medical 
records. Only eighteen percent (18%) of the public consider the use of patient 
records for medical research without prior permission to be very acceptable. Thirty- 
nine percent (39%) found the use somewhat acceptable. The public's comfort level 
increased if the information released did not identify individual patients, but one- 
third found it not at all acceptable for researchers to use non-identifiable health in- 
formation without patient consent. 

Finally, in Harris' 1995 survey, sixty percent (60%) of respondents cited instances 
where they refused to provide r^uested information. This kind of privacy-protective 
behavior is not unfounded. Recent reports of abuse or misuse of peoples' health in- 
formation have confirmed the public's fear of misuse of personal medical informa- 
tion. For example: 
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• The chain drug store CVS, and Giant Food, recentiy admitted to disciosing pa- 
tient prescription records to a direct maii and pharmaceuticai company to track cus- 
tomers who don't refiii prescriptions, and send them ietters encouraging them to re- 
fiii, and consider aiterative treatments. After pubiic outrage was expressed foiiowing 
media reports of this practice, both CVS and Giant agreed to hait the marketing 
disciosures. ("Prescription Fear, Privacy Saies," Washington Post, p. Al, 2/15/98) 

• An Oriando woman recentiy had her doctor perform some routine tests, and re- 
ceived a ietter weeks iater from a drug company touting a treatment for her high 
choiesteroi ("Many Can Flear What You Teii Your Doctors: Records of Patients Are 
Not Kept Private," Oriando Sentinei, 11/30/97, Al) 

• New York Congresswoman Nydia Velasquez' confidential medical records— in- 
cluding details of a bout with depression and a suicide attempt— were faxed from 
a New York hospital to a local newspaper and television station on the eve of her 
1992 primary. After overcoming the fallout from this disclosure and winning the 
election. Rep. Velasquez testified eloquently about her experiences before the Senate 
J udiciary Committee as it was considering a health privacy proposal. 

• The Flarvard Community Flealth Plan, a Boston-based FIMO, admitted to main- 
taining detailed notes of psychotherapy sessions in computer records that were ac- 
cessible by all clinical employees. Following a series of press reports describing the 
system, the FIMO revamped its computer security practices. 

• In Maryland, eight Medicaid clerks were prosecuted for selling computerized 
record printouts of recipients' and dependents' financial resources to sales represent- 
atives of managed care companies. 

• In a recent survey, 206 respondents reported discrimination as a result of ac- 
cess to genetic information, culminating in loss of employment and insurance cov- 
erage, or ineligibility for benefits. 

• The director of a work site health clinic operated by a large manufacturing com- 
pany testified that he was frequently pressured to provide personal information 
about his patients to his supervisors. 

• The late tennis star Arthur Ashe's positive FI IV status was disclosed by a 
health care worker and published by a newspaper without his permission. 

• Patient Direct Metromail advertises in a pharmaceutical industry journal that 
it has 7.6 million names of people suffering from allergies; 945,000 who suffer from 
bladder-control problems; and 558,000 who suffer from yeast infections. ("Medical 
Privacy is Eroding, Physicians and Patients Declare," San Diego Union-Tribune, 2/ 
21/98, 

Focusing specifically on mental health care, a New York Times Magazine article, 
"Keeping Secrets," observed: "[A]t present it is unrealistic for people to assume that 
the raw and tender subjects they talk over with their therapists will go no further 
than the four walls of the consulting room. And many patients have become legiti- 
mately concerned about the possibility that the depression, suicide attempt, marital 
problem or alcoholism being discussed could return to haunt them in cyberspace. 
They are uncomfortably aware of the shadowy figures sitting in on their therapy 
sessions: the insurance administrator, the electronic file clerk, the case reviewer, 
other physicians with an FI.M.O.— even their own co-workers and supervisors." 
(I une 16, 1996, p. 38) 

Peoples' anxiety over whether they will maintain some decision-making authority 
over the use and disclosure of their personal health information by their doctors 
strongly drives their decisions to seek care, how honestly and fully they interact 
with their health care provider, whether they 'doctor hop' to avoid having all of their 
health information entrusted to one provider, and whether they pay out-of-pocket 
or file a claim. Any lack of trust or confidence in the doctor/patient relationship car- 
ries the potential of infecting all of a person's interactions with and perceptions of 
the health care environment. 

The consequences for patients, as well as the health care initiatives intended to 
serve them, are significant: 

• The patient may receive poor quality of care, risking untreated and undetected 
health conditions. 

• The doctor's abilities to diagnose and treat accurately are jeopardized by a lack 
of complete and reliable information from the patient. 

• The integrity of the data flowing out of the doctor's office is undermined. The 
information the patient provides, as well as the resulting treatment and diagnosis, 
may be incomplete and inaccurate, and not fully representative of the patient's care 
or health status. 

• A doctor may skew diagnosis or treatment codes on claim forms, or the doctor 
may keep separate records to be maintained and kept within the doctor's four walls, 
and send on incomplete information for claims processing in order to encourage a 
patient to more fully communicate. 
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• The credibility of any research or analysis performed in reliance on the patient's 
data is called into question. Not only is the patient's health data unreliable from 
her medical record and claims data, the downstream user (researcher, public health 
official) lacks any information as to whether the information might lack integrity 
or why. In other words, there may be no clue in the record that something is miss- 
ing or false. 

In the health care setting, when patients withhold information or shun care to 
protect their privacy, they must do so with a broad, undiscriminating brush— they 
have to calculate for every negative possibility. But, if people are assured that their 
health information will be safeguarded, and if they are empowered to make in- 
formed, voluntary choices about the secondary use of their health information, peo- 
ple are likely to seek care, more fully open up to their health care providers, and 
make educated decisions about the disclosure and use of their personal health infor- 
mation. 


V. Consensus for a National Health Privacy Policy 

A consensus exists among the public, policymakers, and a broad spectrum of the 
health care field that a comprehensive health privacy policy is needed in this coun- 
try. As a recent editorial in the Washington Post concluded: "Of all the threats 
posed to personal privacy by new information technologies, the threat to the privacy 
of medical records is by the far the most urgent." ("Medical Files, or Fishbowls?" 
9/23/97, p. A16) 

Reports of the last twenty years are unanimous in concluding that a comprehen- 
sive national health privacy law is critical to ensuring both the integrity of the doc- 
tor/patient relationship and the continued development of this nation's health care 
system (See For The Record: Protecting Electronic Health Information, National Re- 
search Council, 1997; Health Data in the I nformation Age: Use, Disclosure and Pri- 
vacy, National Academy of Science, Institute of Medicine, 1994; Protecting Privacy 
in Computerized Medical Information, Office of Technology Assessment, 1993). In 
the past few years, every witness that has testified before the U.S. Congress has 
stated that a comprehensive federal privacy law is critical to preserving peoples' 
trust in their doctors and in the health care system. 

Most recently, the Presidential Advisory Commission on Consumer Protection and 
Quality in the Health Care Industry issued its recommendations for a patients' "Bill 
of Rights," which states: "individual patients' medical records should be treated con- 
fidentially, and disclosed only in order to treat them and pay bills." 

S. 1360, The Medical Records Confidentiality Act of 1996 introduced last Congress 
by Senators Bennett and Leahy, quickly garnered broad bi-partisan support, includ- 
ing co-sponsorship by Senators Dole, Daschle, Kassebaum, Kennedy, Jeffords, and 
Frist. Despite this powerful hand holding, agreement on the scope and implementa- 
tion of a national health privacy policy continues to present a challenge. 

We now have a new and promising opportunity for meeting this challenge. The 
recently enacted Health Insurance Portability and Accountability Act of 1996 
(HIPAA) includes a provision mandating that either Congress or the Secretary of 
HHS establish an enforceable privacy regime to protect personally identifiable 
health information. ( P.L. 104-191, also known as Kassebaum-Kennedy) In HIPAA, 
Congress set itself a time limit of August, 1999 for enacting a health privacy law. 
If Congress fails to act by that time, the Secretary of HHS is required to promulgate 
health privacy regulations byj anuary, 2000. 

To provide some guidance for legislation, HIPAA required the Secretary to submit 
to Congress her blueprint for health privacy legislation. In September 1997, Sec- 
retary Shalala issued a set of recommendations to Congress to "enact national 
standards that provide fundamental privacy rights for patients and define respon- 
sibilities for those who serve them." The Secretary's recommendations parallel to a 
large extent the recommendations of other national bodies, as well as incorporating 
approaches taken by many of the proposed medical confidentiality bills introduced 
in Congress over the past. The major recommendations are to: 

• I mpose new restrictions on those who pay and provide for care, as well as those 
who receive information from them. It should prohibit disclosure of patient- 
identifiable information except as authorized by the patient or as explicitly per- 
mitted by the legislation. Disclosures of identifiable information should be limited 
to the amount necessary to accomplish the purpose of the disclosure, and should be 
used within an organization only for the purposes for which the information was col- 
lected. 

• Provide consumers with significant new rights to be informed about how their 
health information will be used and who has seen that information. Providers and 
payers should be required to advise patients in writing of their information prac- 
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tices. Patients should be able to see and get copies of their records, and propose cor- 
rections. A history of disclosures should be maintained by providers and payers, and 
be made accessible to patients. 

• Provide for punishment for those who misuse personal health information and 
redress for people who are harmed by its misuse. There should be criminal penalties 
for obtaining health information under false pretenses, and for knowingly disclosing 
or using medical information in violation of the Federal privacy law. Individuals 
whose rights under the law have been violated should be permitted to bring an ac- 
tion for damages and equitable relief. 

Secretary Shalala concludes that "without safeguards to assure that obtaining 
health care will not endanger our privacy, public distrust could turn the clock back 
on progress in our entire health care system." (Shalala report, pp 1,2.) 

Flowever, the Secretary's report drew fire from the Flill, the media, health care 
providers, and health privacy experts for her recommendation that law enforcement 
officials continue to have virtually unfettered access to personal health records. As 
The New York Times editorial decried: 'The exemption for law enforcement agencies 
is a huge loophole The need to combat fraud in the nation's trillion-dollar health- 
care industry is indisputable. But it hardly justifies granting less privacy protection 
to the intimate information contained in medical records than existing Federal stat- 
utes now extend to the records of banks, cable television, video rental stores, or E- 
mail users, as the Administration's plan bizarrely contemplates." (See 'Trifling with 
Medical Privacy," NY Times, 9/97) 

No other federal privacy statute provides such an exemption for law enforcement. 
In fact, most of the U.S. privacy laws were enacted specifically to bring law enforce- 
ment under a Fourth Amendment warrant mandate. 

It is also worth noting that FIIPAA includes a provision known as "Administrative 
Simplification." Coupled with the law's privacy mandate is a requirement that uni- 
form health data standards for the electronic transmission of personal health data 
be developed by Spring 1998. The consequence of these dual and staggered require- 
ments is that a time line has been established by which data standards must be 
created prior to the development of privacy and security rules governing personal 
health information. Both the short time frame and the awkward sequence of events 
laid out in the "Administrative Simplification" section pose unique challenges for 
health care entities, policymakers, and patients. 

Flowever, the congressionally mandated time limit to pass health privacy legisla- 
tion by August 1999 shifts the political landscape, and injects greater immediacy 
into the effort to find a strong, workable privacy solution. 

VI. Key Issues for Federal FIealth Privacy Policy 

The following is a broad outline of the key elements that must be incorporated 
in a comprehensive health privacy policy. Many of the health privacy proposals cur- 
rently pending before Congress address, in various ways, these key factors. 

• Access: People must have the right to see, copy, and supplement their own med- 
ical records. Only 28 states currently provide such a right. 

• Notice: People must be given written, easy-to-understand notice of how their 
health information will be used and by whom. Only with such notice can people 
make informed, meaningful choices about uses and disclosures of their health infor- 
mation. 

• Consent: As a general rule, patient consent should be obtained prior to disclo- 
sure of personal health information by doctors, health plans, employers, and other 
health care entities, especially if the disclosure is not related to treatment or pay- 
ment. There seems to be a broad recognition that exceptions to the rule of consent 
are needed for certain public health disclosures and in emergency circumstances. 

• Research: A federal privacy law should strengthen and expand the reach of ex- 
isting privacy safeguards for identifiable health information used by researchers. 
Overall, a national health privacy policy should create incentives for researchers to 
use non-personally identifiable health data. 

Specifically, there should be equity, uniformity, accountability and oversight in 
scope and application of the federal regulations governing Fluman Subjects research 
and the use of personally identifiable health information by researchers. Regulations 
should be applied to both federally and non-federally funded researchers, and the 
existing standard for granting waivers of informed consent for use of identifiable 
data should be codified, strengthened and strictly applied. 

Far from hindering research, a federal health privacy law can benefit health re- 
search— by bolstering patient confidence in the use of personal health information. 
Again, protecting patient privacy can help to insure the integrity of the data at the 
front end, when it is divulged by the patient. 
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• Security: It is important to require the deveiopment of security safeguards for 
the use and disciosure of personai heaith information. Whiie it is criticai to acknowi- 
edge that networked heaith information systems can pose a risk of greater mag- 
nitude and harm, technoiogy can be used to better safeguard personai heaith infor- 
mation in eiectronic form than it wouid be protected if on a piece of paper in a fiie 
drawer (see For the Record: Protecting Eiectronic Fleaith Information, Nationai Re- 
search Councii, 1997). Aiso, technoiogy can be used to more efficientiy anonymize 
and de-identify personai heaith data for pubiic heaith initiatives. 

No system— either paper or eiectronic— can provide 100% fool-proof security, but 
existing technology does provide us with some powerful opportunities to better pro- 
tect personal information. There has been some discussion about providing people 
the option to prohibit their personal health data from being maintained and trans- 
mitted in electronic format. I believe that such an "opt-out" may create a false ex- 
pectation that sensitive information is better protected in paper form. Again, this 
is not necessarily true if strong security policies and tools are built-in to information 
systems. 

• Law Enforcement: A federal health privacy law should include a court order re- 
quirement, with a standard as stringent if not more so than that set out in the 
Video Privacy Protection Act (better known as 'The Bork Bill"). Constitutional prin- 
ciple requires that individuals should be shielded from unjustified government in- 
trusion. Currently, no federal privacy statute provides a broad exemption for law 
enforcement. I n fact, most of the U.S. privacy laws were enacted specifically to bring 
law enforcement under a Fourth Amendment warrant mandate. 

• Remedies: In order to be truly effective, a federal health privacy law must have 
strong remedies in place. For instance, strict civil penalties and criminal sanctions 
should be imposed for violations of the law, and individuals should have a private 
right of action against those who mishandle their personal medical information. 

• Preemption: No precedent exists in our federal privacy and civil rights laws for 
preempting state law. In the case of health privacy, we do not yet have a com- 
prehensive survey of state law that would even indicate what state laws we would 
be preempting. Further, health care entities are currently doing business and trans- 
ferring information interstate, complying with various state health privacy laws. 

Serious consideration should be given to any proposal to preempt state law in this 
area, thereby locking the states out of tailoring their laws to reflect particular cir- 
cumstances. For instance, stronger state mental health and communicable disease 
confidentiality laws should not be preempted, given the long history of stigma and 
discrimination against people with these conditions. Moreover, given what we know 
of the resistance to testing and accessing treatment, these state privacy laws help 
to promote broad public health interests. 

VI I . Conclusion 

I am optimistic that the political will exists this Congress to pass legislation that 
truly protects peoples' privacy in the health care setting, without unduly compromis- 
ing valuable health care initiatives. The time has come for a cohesive, forward- 
thinking health privacy paradigm that acknowledges privacy's critical role in health 
care, and integrates it at various states throughout the health care system. People 
must be empowered to be more active, informed consumers of health care and know- 
ing, willing participants in the broader health care activities that impact their lives 
and well-being of their communities. If we are to achieve the oft-touted goals in 
health care, people must have trust and confidence that the health care system will 
safeguard their personal health information. Loss of personal privacy— and ulti- 
mately the erosion of reliable health information— must not be the price of progress. 


Chairman Thomas. Thank you very much. 
Dr. Birge. 
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STATEMENT OF JAMES BIRGE, M.D., MEDICAL DIRECTOR AND 

CHIEF EXECUTIVE OFFICER, MACGREGOR MEDICAL ASSO- 
CIATION, HOUSTON, TEXAS; ACCOMPANIED BY J IM SLOANE, 

VICE PRESIDENT OF BUSINESS DEVELOPMENT, AMERICAN 

MEDICAL MANAGEMENT, HOUSTON, TEXAS 

Dr. Birge. Again, thank you for inviting us to testify here. I am 
Dr. Birge, the medical director and the chief executive officer for 
MacGregor Medical Association. With me isj im Sloane, vice presi- 
dent of business development for our computer systems. We are 
here to describe what we have been doing with electronic medical 
records from a clinical standpoint, which I will address, and Mr. 
Sloane will address it from a security standpoint with a little show- 
and-tell of what it looks like. 

Essentially, I echo everything that Dr. Borowitz said in his testi- 
mony. MacGregor is a fairly large group. Right now there are 22 
sites in Houston, 5 in San Antonio, a total of about 220 doctors. We 
are taking care of about 210,000 patients in Houston, about 40,000 
in San Antonio. By the end of the eighties it was very apparent to 
us that the paper medical record just did not work. We could not 
get the clinical information to the doctors at the time the doctor 
needed it. The only answer we came up with was the computer, 
and that is what we did. 

We installed an electronic medical record that went live at the 
end of 1991, and all of the patients are now in that computer base. 
It handles 1.1 million visits a year. It makes available essentially 
all the outpatient data for the physician at the time the physician 
needs it. We do this by providing computers in the doctors' offices, 
nurses' stations, in the ERs of plan hospitals, L&D, that sort of 
thing. They can also have access at home, if the physician wants. 

What that does is allow us to use the computerizea information, 
which includes progress notes, lab reports, x rays, and problem 
lists, and use it in four fundamental categories: The first would be 
taking care of that individual patient, so that whether the patient 
shows up at the office on a scheduled visit, or they are showing up 
in the evening as a walk-in; or they are hitting the L&D room or 
the ER of the plan hospital, the medical information is there for 
the physician taking care of the patient. As other people have pre- 
viously testified, the quality of care is better that way, and hope- 
fully things are more economical and expedient from a time stand- 
poi nt. 

A quick example. A 70-year-old woman hits her after-hours facil- 
ity; feels a little tired, a little dizzy. The doctor does a review— does 
not have the paper record available but does have access to the 
clinical information in the computer. Finds a hemoglobin at 10.1, 
which is slightly anemic. Is that new or old? Should he worry or 
not worry? The computer says the hemoglobin has been like that 
for the last 10 years. You are not going to worry about it. There 
are just numerous examples like that. 

Second point: Identification of high risk patients. The medical 
paradigm, if you allow me to use this trite word, has always been 
episodic. We wait for the patient to intervene with us. We wait for 
them to get sick, feel lousy, something bad is happening, and then 
the doctor jumps in and tries to save the day, usually with poor 
success. 
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What we need to do is move to the next millennium, and that 
is identifying the high risk patients before they blow up. How do 
you do it? Information. The computer systems can look at patients 
with mild renal failure. They have not been back in to see a doctor 
in more than 1 year. That is a high risk patient. Somebody whose 
glucose is not under tight control, hasn't seen a doctor in 6 months, 
that is a high risk patient. 

This is where the medical profession needs to go. It is our obliga- 
tion to take that next step, to treat the patient as a continuum, not 
as an episode, and that all requires information linked together 
chronol epical I y. 

The third area is quality assurance just within our organization. 
This would be data which is really not identifiable by the individ- 
ual but looks at all the conditions of how tightly controlled are dia- 
betics, what kind of renal functions are they obtaining, that sort of 
thing. This comes back to the outcome analysis the Chairman 
talked about earlier. 

And then, finally, quality assurance, or outside our organization; 
these are H EBI S initiatives; NCQA, that sort of thing, again where 
you can screen computer data as opposed to hordes of nurses float- 
ing through paper records one by one. It is a no-brainer. Obviously, 
the results are going to be more meaningful from a statistical 
basis, and you can look for more things using the computer than 
you can the paper record. 

With that, let me turn things over toj im Sloane. 

Mr. Sloane. Good morning. Thank you for the opportunity. I 
would request that I move my seat over, and hopefully my tech- 
nology will work appropriately and I will demonstrate some of 
what the providers at MacGregor have access to in our information 
system. 

To start off with, in addition to the confidentiality statement 
which every employee must sign as a condition of employment, 
every time that one of the users turns on their PC, this is the 
statement that they are presented with. The only option they have, 
in order to continue to use the PC in any manner, is to agree with 
this confidentiality statement. It serves as a constant reminder to 
the employees about the importance of keeping the patient infor- 
mation confidential. 

Chairman Thomas. I do not want to interrupt you, but what is 
the consequence of violating that statement? I am trying to— imme- 
diate dismissal? 

Mr. Sloane. Correct. 

Chairman Thomas. Is that a right that has been exercised? 

Mr. Sloane. It has. 

Dr. Birge. You are right, the consequence is immediate termi- 
nation. 

Chairman Thomas. And it has been exercised? 

Dr. Birge. It has been. 

Chairman Thomas. OK. 

Mr. Sloane. The step for the user when they attempt to access 
the electronic medical record system is the same as many other 
systems. Each user has a unique identifier, user I .D., to gain access 
to the system. They also have a password. We do force the users 
to routinely change their passwords so that they cannot consist- 
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ently use the same password. We also do not allow reuse of the 
passwords, so that they cannot bounce back and forth between one 
and two passwords. 

These screens do have automatic timeout after certain periods of 
inactivity and the user is logged off. 

Once they sign on to the system, depending upon the level of ac- 
cess, and it is different depending upon what type of position an 
employee has with the organization, they are presented with a 
menu of icons which they can choose from. Many of the providers 
start out with this view. It is basically a look at their schedule; 
what it looks like for a given day and a given month of the year. 

From this particular view, the physician can select a patient 
record off of the scheduling system and start looking at clinical 
data. This information is similar to what we just saw, just pre- 
sented in a different format. The physicians have access to labora- 
tory results, transcriptions, immunization histories, demographic 
information, and significant problems, as well as drug allergies. 

In order to look at a particular note, the user would just select 
which note they wanted to see off the appropriate tab. This hap- 
pens to be my son's record. That is a common occurrence, too. This 
is my son's actual record from within the system. This happens to 
be a note dictated by Dr. Patel when my son came in for a visit. 
This is the immunization flow sheet. 

This also serves as information for what type of immunizations 
were given and as a reminder to the provider when particular im- 
munizations should be given. This is just a view of the drug his- 
tory. 

We have the capability within the system to search across the 
medical records for a given patient. In this case we search for the 
word "sinusitis" and the system highlights which particular 
progress notes contain that word or phrase. And again we see that 
highlighted within this progress note. 

I have pulled up a different patient here. This is a test patient 
within our system. We see a list of the significant problems in the 
upper left-hand portion; on the right-hand side we would see drug 
allergies; and below that the same information as previously seen. 
If you wanted to look at a particular lab result, you can select it 
off the lab folder. You see the particular details of that result and 
then the physician has the capability of graphing the results if they 
desi re. 

This is just a different view of the same laboratory information, 
providing a little more detail before you go in and look at a particu- 
lar result. 

That is basically what I had prepared just to give you an idea 
of what the system looks like. But to address more specifically 
some of the security aspects, I already talked about the users 
agreeing to the confidentiality statement. We also have the capabil- 
ity to restrict a user's access to the system by day of the week, hour 
of the day, and location of the device from which they are accessing 
the system. 

Also mentioned, we have the capability of restricting access by 
the level of user, so that not all users see all levels of patient infor- 
mation. 
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We do keep audit trails of access to all of the information. Every 
time one of those records is pulled up of a patient and you go into 
a progress note or a laboratory result, that information is recorded 
in an audit trail. 

And to address the opening question, that is one circumstance 
where we monitor those audit trails on a routine basis. We noticed 
one particular employee had an unusually large number of accesses 
to patient records, patient data. When that employee was con- 
fronted, he immediately resigned. And we would nave terminated 
him anyway if it was inappropriate use of the information. 

We do restrict access to other employees' information within the 
system, so that one employee cannot pull up another employee's in- 
formation unless they have a high level of security in order to do 
so. And that can expand bwond just other employees. Certain indi- 
viduals whose records are determined should oe restricted, we have 
that capability. 

As far as the future of where we are heading, the use of a user 
I.D. and password is not the ideal situation. We continue to mon- 
itor the technology that is coming about. Two important areas are 
the use of fingerprint recognition devices, as well as retinal scan- 
ning devices. We have prototyped a fingerprint recognition device. 
We think it is very promising. 

Obviously, a fingerprint is not something that can be shared with 
other people. You cannot pass it on to other people. The technology 
is improving and the devices are becoming much more cost effective 
in order to look at implementing that type of security. We think 
that will help tremendously. 

In closing, I realize my time is up, and I would just like to state 
that I believe electronic records, with the appropriate controls, se- 
curity, and auditing mechanisms in place, can be as secure, if not 
more so, than the hard copy patient records. 

Thank you. 

[The prepared statements follow:] 

statement of J ames Birge, M.D., Medical Director and Chief Executive Offi- 
cer, MacGregor Medical Association, Houston, Texas; Accompanied by 

J im Sloane, Vice President, Business Development, American Medical 

Management, Houston, Texas 

Mr. Chairman, thank you for the opportunity to testify today regarding the impor- 
tant issue of patient confidentiaiity. I am Dr. James Birge, Medicai Director and 
CEO of MacGregor Medicai Association. Accompanying me today isj im Sioane, Vice 
President of Business Deveiopment at American Medicai Management. Jim wiii 
briefiy demonstrate for you the superior security system we have deveioped at 
MacGregor. This system not oniy ensures patient heaith information is kept strictiy 
confidentiai, but aiso enhances our abiiity to provide our patients with the highest 
quaiity, state-of-the-art heaith care avaiiabie. 

MacGregor Medicai Association is a muitispeciaity dinic founded in 1953 by two 
physicians in Houston, Texas. It currently comprises 220 providers located at 22 
sites in Houston and 5 sites in San Antonio. In Houston the physicians serve ap- 
proximately 185,000 commercial HMO members, 10,000 Medicare risk enrollees, 
and 15,000 fee-for-service patients. In San Antonio, the operation handles 18,000 
HMO paneled members and 24,000 PPO or fee-for-service patients. The total com- 
bined visits for last year were 1.1 million. 

MacGregor is illustrative of the trend toward highly integrated health care sys- 
tems. We have entered into a number of innovative arrangements with health plans 
and facilities and are responsible for several hundreds of thousands of patients. 
Along with this trend toward integration, however, has come new challenges over 
how to best keep patient information confidential while also making the information 
readily availablefor use in providing services to patients. 
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This is the chaiienge Congress now faces— how to enact standards which ensure 
the highest ievei of patient confidentiaiity possibie without undermining the abiiity 
of heaith pians, physicians, and other providers to use the information for producing 
higher quaiity heaith care services and treatments. 

Untii very recentiy, the fieid of medicine has been devoted to mostiy identifying 
and iabeiing various disease processes. Physicians have been abie to cure aimost 
nothing, though ameiiorative treatment has made great strides over the past three 
decades. I beiieve that things are now changing. New, powerfui medications and 
procedures entice us with the prospect of actuaiiy curing a few things and certainiy 
controiiing various disease and conditions a iot better than before. This possibiiity 
wiii require that a physician has prompt, compiete medicai data. Inadequate infor- 
mation will not only be costly in terms of delaying proper diagnosis and treatment, 
but could potentially be seriously harmful to the patient. In addition, complete med- 
ical information is necessary to conduct ongoing quality assurance activities and to 
continue the drive towards excellence through peer review and outcomes analysis. 

For example, today's medications are far more powerful than those used 20 years 
ago. If a doctor doesn't know what medications a patient is taking and attempts to 
treat another condition, the results may be catastrophic. It is our opinion at 
MacGregor Medical Association that medical information must be available in the 
context of an electronic medical record. Not only will the industry soon demand this 
technology, it will be malpractice to treat a patient in the absence of complete medi- 
cal information. It is therefore our challenge to create a system that: 

• Uses practical industry-wide standards 

• Establishes safeguards to protect patient confidentiality without jeopardizing 
the usefulness of the electronic medical record 

• Prevents medical information from being used inappropriately 

• Develops a process of funding the electronic medical record which does not un- 
fairly affect the patient, employer, physician, insurer, or hospital. 

MacGregor is a pioneer in the move toward electronic storage and transmission 
of patient data. MacGregor has received a great deal of national recognition and has 
won awards for the systems that it has developed. While this brings us a great deal 
of satisfaction, the more important matter is that we believe that these systems 
have assisted the caregivers in providing cost-effective, high quality care to the pa- 
tients that they serve. 

At MacGregor, patients have always been allowed to see any primary care physi- 
cian at any site. As a result of this policy, MacGregor realized by the late 1980's 
that all too often, we were unable to deliver the paper medical record to one of our 
offices scattered across Flouston in time for a patient visit. It was decided that the 
only solution was a computerized medical record. This instrument went on-line at 
the end of 1991 and has been successfully used ever since. In addition to the elec- 
tronic medical record (EMR), MacGregor continues to use a standard paper chart 
which is protected by standard policies and procedures. 

Through the EMR, a MacGregor physician has access to a patient's significant 
problem list, drug allergies, progress notes, laboratory results. X-ray results, and 
immunization data. This information is available at the MacGregor clinics, plan hos- 
pitals, and— if desired by the doctor— at the physician's home via the I nternet. 

The Structured Query Language database, which is explained in more detail in 
our written testimony, data base allows our physicians to perform a multitude of 
comparative studies which, we think, improve overall patient care. Again, without 
access to this data, quality of care is significantly compromised. Reports are particu- 
larly useful in identifying high-risk individuals and those patients who are overdue 
for screening tests. Some examples include: women overdue for mammogram; 
women overdue for a PAP smear; abnormal blood tests which haven't been repeated 
in a certain period of time; children who are due for certain immunizations; renal 
failure patients overdue for kidney tests; diabetics who have poor sugar control; and 
high cholesterol patients with inadequate follow-up. 

Results of such studies are patient specific so that the clinical department may 
contact the patient and arrange to have the appropriate action taken. 

Federal standards which either limit our access to this information, or requires 
that we obtain patient authorization at every point of contact, will serve only to un- 
dermine our quality control and enhancement efforts. Results of such studies are 
patient specific so that the clinical department may contact the patient and arrange 
to have the appropriate action taken. 

Security of the Electronic Medical Record 

In spite of the positive aspects and advantages of an electronic medical record, 
we are certainly aware of the potential damage and danger of this information being 
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disseminated to improper individuais or being used for other than the intended pur- 
pose. With that in mind, we wiii present the security measures and procedures that 
MacGregor has impiemented to heip prevent misuse. 

We consider ourseives a pioneer in the development and use of these types of out- 
patient clinical systems. While this brings us a great deal of satisfaction, the more 
important matter is that we believe that these systems have assisted the car^ivers 
in providing cost effective, high quality care to the patient that they serve. It is sim- 
ply impossible to have a hardcopy medical record available in 30 outpatient loca- 
tions, emergency rooms and labor and delivery areas of the local hospitals, all at 
the same time, in anticipation of a patient showing up on the doorstep. 

Our central computing facility, which houses the patient clinical data, has several 
physical security measures in place. The front entrance to the building is monitored 
by a receptionist who ensures that all visitors to the building sign in and list which 
employee they are visiting. The receptionist then places a phone call to the em- 
ployee letting them know that they have a visitor. The visitor is accompanied during 
his visit to our facility. The employee entrance to the building and the parking lot 
are secured 24 hours a day, seven days a week, 365 days a year. Each authorized 
employee, who has filled out the proper form, is given an access card to the parking 
lot and the building. Every time the card is swiped to enter the parking lot or the 
building, an entry is made in an electronic log which lists the owner of the card 
and the date and time they entered. The section of the building that houses the 
computer on which the data resides is also secured by an additional card reader. 
During off peak hours, when the employees working in this area are not present, 
only those select employees who have a need to enter the computer room are able 
to do so by swiping their card. This is also recorded in an electronic log. 

With respect to the EMR application that grants users access to patient data, only 
those users who have filled out the proper forms, have been authorized and ap- 
proved by their manager, and have been assigned a User ID and a password are 
able to access the system. In addition, we have software in place which mandates 
that users change their passwords on a predetermined basis and which prohibits 
reuse of passwords during certain time intervals. Additionally, to limit the possibil- 
ity of an employee leaving his system logged on indefinitely, the EMR application 
"times out" after a period of inactivity and the user is logged off of the system. 
Every time that a personal computer is powered on by a user of our system, the 
user is presented with a confidentiality statement, a copy of which is attached, to 
which he must agree in order to gain access to the EMR application. This serves 
as a constant reminder to our employees about the confidential nature of the infor- 
mation contained within our system. 

When remote users access our system, via direct dial-up on through the Internet, 
in addition to the User I D and password that are required to gain entry to the appli- 
cation, they must also have a second User ID and password to gain entry to the 
remote access server. This is in addition to a piece of proprietary software that they 
must have loaded on their personal computers in order to gain access remotely. All 
data that passes through the public network is encrypted through the use of this 
remote access software. We also use an Internet firewall which prevents our sys- 
tems from being directly accessed through the Internet. Every outside system at- 
tempting a connection to our EMR system must first pass the criteria we have es- 
tablished. In our environment, the EMR is not accessed directly from the Internet. 
Access is first passed through a firewall and then to a gateway server that connects 
i nto the E M R system. 

Through the use of internally developed security software, we also have a great 
deal of control over access to the EMR and other applications. We have the capabil- 
ity to restrict a user's access by day of the week, hour of the day, and the location 
of the device which he is using to access the system. We can allow or restrict an 
individual user's access to all, or select elements, of patient data. We can restrict 
access to another employees' clinical information as well as other individuals whom 
it is determined should have restricted access to their clinical data. Within each 
"window" of the application we have the ability to restrict access to any or all of 
the following functions: inquiry, add, update, or delete capability. Within the 
MacGregor Medical Association provider group, which practices in two different cit- 
ies in the state of Texas, we have the ability to logically separate patient's data by 
region code. Although patient data is not generally made available to the doctors 
from the city in which they do not practice, if a patient visits the doctor in the other 
city and signs a release form, electronic access to the data can be granted. 

In addition to all of the security measurers mentioned above, we maintain an elec- 
tronic log in which a record is kept every time that a user accesses patient clinical 
data. This log lists the User ID that accessed the data, the date and time of the 
access, the type of information that was accessed, and the terminal ID from which 
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the access was made. This log is monitored on a regular basis by the security ad- 
ministrator in an attempt to dkermine if patient records are being accessed improp- 
erly. In one particular circumstances an employee was confronted about his unusu- 
ally high number of inquiries to patient clinical data. The employee immediately re- 
signed. While some may rightfully argue that this auditing capability is "after the 
fact," compare it to the inability to audit access to hardcopy patient records. While 
in many places a handwritten log is maintained, I would argue that it is not nearly 
as accurate or effective at limiting inappropriate access to patient medical records. 

We know that a User ID and password mechanism is not 100% foolproof, so we 
continue to research and evaluate alternative means of uniquely identifying individ- 
ual users of our s;ystem. Two promising possibilities include fingerprint recognition 
and retinal scanning. These types of systems are becoming more and more feasible 
as the technology improves and the cost declines. 

There is a tremendous tradeoff between the level of security implemented and the 
usefulness and usability of any computer system. If the restrictions imposed are too 
severe and time consuming, the physicians and other providers will not use the sys- 
tem regardless of the value it brings. I believe that Electronic Medical Record sys- 
tems, if implemented with the proper controls and auditing mechanisms in conjunc- 
tion with enforced policies and procedures, can be made as secure, if not more so, 
than hardcopy medical records. 

In conclusion, thank you again for the opportunity to testify on this complex and 
important issue. As you face the challenge of enacting federal confidentiality stand- 
ards, MacGregor encourages you to reflect on the advantages of responsible use of 
patient information and to consider the negative consequences of imposing measures 
that are so restrictive that they undermine quality. 

The challenge is great. The rewards for the patient and the system as a whole 
will be fantastic. 


Confidentiality Policy Statement 

All information in a patient's medical record is STRICTLY CONFIDENTIAL. This 
information should not be discussed with anyone other than MEDICAL PERSON- 
NEL with proper authorization and a LEGITIMATE 'NEED TO KNOW'. Breach of 
confidence may be grounds for immediate dismissal. 


Chairman Thomas. Thank you very much. A question first to Dr. 
Birge and you, Mr. Sioane, but Dr. Borowitz may want to respond. 
The software you are utiiizing, is it proprietary, is it off the sheif, 
partiaiiy off the sheif, modified for your own use? 

Dr. Birge. This software was deveioped by us, because back in 
the iate eighties we couid not find anything out there we thought 
wouid work. We wouid happiiy taik to any entity that wouid iike 
to use it. 

Chairman Thomas. So, you are stiii amortizing the cost of devei- 
opment. i was going to ask whether or not you were keeping track 
of its cost effectiveness in terms of saving doiiars for patient care. 
But because you had to do a bit of creating with this as weii, it 
probabiy is not a fair question, because i don't think we shouid re- 
quire the amortization of the software as part of the cost effective- 
ness. 

Dr. Birge. That is a very good question. We are certainiy keep- 
ing track of the expense. The system was written up in the CiO 
magazine and received an award a coupie of years ago, and did a 
breakdown of some cost anaiysis. The reai probiem is what others 
have identified eariier, that when you start taiking about being 
proactive and prevention therapy, that sort of thing, your payback 
is measured in years and decades, not quarters or one finandai 
year. That is an issue. 

Chairman Thomas. Dr. Borowitz, is yours proprietary or created? 
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Dr. Borowitz. A hybrid of the two together. We do have some 
cost data regarding pharmacy errors when we brought up what is 
caiied physician order entry, where the doctors order the prescrip- 
tions themseives. And when doctors made the entry directiy, the 
errors dropped to virtuaiiy zero within severai months. 

Chairman Thomas. Wdi, it has obviousiy come to my attention 
this is a two-way street; that not oniy are you aiiowed to make sure 
you are cost effective in deaiing with what needs to be done in a 
timeiy way, but that those who are not doing it in a timeiy way 
are exposed as weii. 

Dr. Borowitz. That is correct. 

Chairman Thomas. Any reaction from physicians or other heaith 
care providers about big brother iooking over their shouider in 
terms of making these decisions? 

Dr. Birge. From our standpoint the answer is reaiiy no. We are 
a group practice, and that whoie cuiture is one where you know 
peopie are iooking at what you are doing and you are expected to 
be on your best behavior. 

Chairman Thomas. The concern about confidentiaiity. And, Ms. 
Goidman, aithough i agree with you in part, i find it difficuit to 
taik about the points that you mentioned— discrimination, identifi- 
abie data versus encrypted paper records versus eiectronic and the 
rest, and start with the assumption that privacy is so criticai and 
important that we ought to immediateiy carve out a roie for States 
to make decisions not iimited by the broader societai needs and the 
protection of the individuai, which may, in fact, create a crazy quiit 
pattern that wouid deny us the opportunity. 

i think this teeter-totter is very, very difficuit to baiance. My con- 
cern, and Dr. Detmer's concern, was the administration's position 
that States certainiy shouid be abie to go beyond what the Federai 
Government does in terms of rights of privacy. And i am trying to 
figure out where we wind up tipping in the direction of privacy 
which denies us, without reai reason, the abiiity to coiiect data. 
Does that concern you at aii? 

Ms. Goldman. Weii, it absoiuteiy concerns me, Mr. Chairman, if 
i can just address the preemption issue for a moment to try to re- 
spond to your concern, right now we do have this crazy quiit in the 
States, with nothing at the Federai ievei. The States are having to 
respond to the vacuum created by the absence of a Federai iaw, so 
they are moving forward to pass privacy iegisiation. 

What we have seen in other areas, for instance the Federai wire- 
tap iaw, is that, as aii other privacy iaws, it creates a fioor and 
States are abie to go beyond that. The Federai iaw, for instance, 
requires one-party consent before a conversation can be taped or 
intercepted. What States have done, one-third of the States, not 
more than that, they have decided that is not a strong enough pro- 
tection and aii parties must consent to the conversation. So when 
iaw enforcement goes into a particuiar area, they understand that 
that State's iaw must be compiled with if it is above what the Fed- 
erai iaw requires. 

Now in this area i think it is a iittie more complicated, since we 
are dealing with so many. 
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Chairman Thomas. You need to stand that whole argument on 
its head, do you not, as you are examining the issue? Does that 
make sense to you? 

Ms. Goldman. Say again. 

Chairman Thomas. The idea perhaps, where it is identifiable pa- 
tient records, we can create an opportunity for States to go signifi- 
cantly beyond what the Federal Government believes is appro- 
priate. But where we have protocols for encryption available, I 
would be very concerned about letting States go beyond the level 
that we establish to create that opportunity for uniformity of collec- 
tion of data. 

Ms. Goldman. One of the ways I think we have tried, for in- 
stance, in some of the Senate proposals of last year and on this 
side, the way we have tried to address this concern about uniform- 
ity, because researchers and industry representatives have a valid 
concern, which is that it is more convenient, more efficient, often 
easier to transfer information around the country if you only have 
one standard with which to comply and you do not have to look at 
all the various State laws. But we have an opportunity to make 
that a reality without having to broadly preempt State law by mak- 
ing sure the Federal law is written at a nigh enough level. 

And, in fact, many of the proposals have been written with that 
in mind, looking at some of the existing State laws and saying. Let 
us make sure we do not disregard the efforts that California has 
made or that New York has made, and that we make sure the Fed- 
eral law is set at that level, if not a little higher, so we are not pre- 
empting State law. We allow those laws to stand and be acknowl- 
edged and respected, but we are also knowing at the Federal level 
we need to set the bar high enough so that there really is, in effect, 
one standard. 

But I do acknowledge there may be some areas where we want 
to carve out for preemption. Research may be one of them. We may 
want to say that the Federal policy, as related to research, is pre- 
emptive. We may want to acknowledge, though, that in the public 
health area, as Dr. Detmer said, or in the mental health area. 
States have been fairly active, for good reason, to protect their citi- 
zens proactively in this area of crafting privacy legislation, and we 
should be careful not to preempt those particular laws and look at 
where we have a justification for preemption. 

Chairman Thomas. I do not want to get into a debate over this, 
but my concern there is if we deal with the use of the material 
itself, we may be missing the point. Rather than focusing on identi- 
fiable records versus nonidentifiable or encrypted records, the ques- 
tion is how good is the encryption. 

Because your point about the Minnesota law, to me, is not a very 
valid one, and that is. Gee, we come within 95.5 percent of accu- 
racy in some areas of collection of the data, especially in epidemiol- 
ogy and other areas, throw it out. It is not worth anything. 

Ms. Goldman. I understand. 

Chairman Thomas. The whole value of the Mayo Clinic in its ap- 
proach was it was a 100-percent universe, which gave you the abil- 
ity to do certain things. When you are dealing with certain types 
of research, especially following on our carryback, you have to have 
100 percent or it is not worth anything. And to get Mayo Clinic to 
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spend its own money to convince people up front they should sign 
the waiver, which by the way is like a 60-day window and then it 
is gone and you have to go back and get it, is, I think, not a good 
model to use regardless of their ability to drive that close to 100. 
Because I believe there is now something being lost in Minnesota 
because of the Minnesota law being operative, and we will hear 
from someone else on the panel that may not go as far as I did. 

But the other point I want to make is, I am very concerned, as 
we talk about the timeframe in which we are going to make laws, 
that we do not get too carried away with the anecdotal model for 
us to legislate with. The Minnesota, CVS-Giant Pharmacy list, has 
been used by everyone. The Maryland State legislature is moving 
to change that. Once it was identified and the problem was ex- 
posed, they are moving to solve the problem. 

Your argument that there are people who are carrying out cer- 
tain behaviors of denial in terms of the physician-patient relation- 
ship because they are worried about confidentiality may, in fact, be 
the case. But I have also heard enough testimony about the failure 
in medical school for physicians to get a little bit of training in sen- 
sitivity, that perhaps the inability of the physician to draw out the 
patient, to talk about this information, is a lot closer to the real 
world model than the patient coming in and creating a defensive 
posture of not telling the doctor everything because they are wor- 
ried about confidentiality. 

I think confidentiality models clearly would come from someone 
who is very concerned with privacy, but the failure of the doctor 
to do a good job of interviewing may, in fact, be closer to the real 
world. I do not want to argue the point. I want to say the anecdotal 
arguments are not going to be the ones we are going to legislate 
on, I hope. But, frankly, with the medical folk and press here, all 
we ever read about that makes the front page is anecdotal, and 
that is what our colleagues are going to respond to if we do not do 
a good job in trying to create a broad-based record of what the 
problem really is. 

Now, I will give you a chance to say something. 

Ms. Goldman. Mr. Chairman, you make some good points, and 
I want to respond to the concern about the Minnesota law. I am 
not advocating we take the Minnesota law and make it the Federal 
standard. I just wanted to point out that in their 

Chairman Thomas. I understand. 

Ms. Goldman [continuing]. In their efforts there is the compli- 
ance rate they have gotten. What I am suggesting is that while a 
4-percent error rate may suggest to epidemiologists to throw out 
the data, it is worthless, and I think that is a very important point, 
what we have not yet measured because it is so difficult to meas- 
ure, is when people are worried about confidentiality, and of course 
there are other factors that keep people from fully disclosing infor- 
mation. I recognize that. I just want to raise the point that privacy 
is one of those factors. 

Where people do not accurately share data, where they do not 
fully disclose with their doctor or withhold or do not seek care at 
all, that undermines the quality and reliability of the data, and we 
have no way to measure that. 
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Chairman Thomas. I understand your point. You made it weii, 
both in written and verbai testimony. My concern is if we do not 
move at the Federai ievei, the Minnesota exampie wiii be the one 
used more often than not. That is my concern. And it is just not 
a good modei, as far as i can teii. There might be better ones out 
there, and what we need to do is set an exampie. 

The concern about access, and again, Ms. Goidman, you are the 
one who focused on this, i do beiieve the patient shouid have a 
right to iook at their medicai records. The concern i get is that the 
next breath ieads to. We ought to be abie to suppiement those 
records, we ought to be abie to add to those records, and then even 
to the extent we ought to be abie to deiete from those records. 

i just want to have some statement on the record by the two doc- 
tors in front of us on this panei about their beiief or attitude, in 
the materiai that they deai with, of patients being abie to suppie- 
ment their own medicai records, i think the deietion one is a strong 
one. We aii agree that that is not a concern. But has there been 
a discussion among the group or with you, in terms of the e-maii 
you get and about the suppiementing of records? 

Dr. Borowitz. We have certainiy discussed it. i think the e-maii 
experience suggests that a iot of peopie are more comfortabie writ- 
ing information down, if you wiii, to use e-maii as a written anaiog. 
They have an opportunity to think things out without the pressure 
of time and being intimidated by a physician. 

i aiso beiieve it is an opportunity to aiiow patients to short cir- 
cuit some of the history-taking process, because they can present 
the physician or heaith care provider with data they may think is 
important but is not readiiy avaiiabie in a written record, so that 
they can put their medications, their aiiergies, the famiiy history, 
and they can get down to what is important, which is the reason 
they showed up in the office that day. 

Chairman Thomas. Do you think that patients withhoid informa- 
tion purposeiy over the concern of confident! aii ty? 

Dr. Borowitz. i have no data, but my personai experience is 
what you have ai ready aiiuded to. There is usuaiiy another agenda 
that is not addressed, and it is that we have not asked the right 
questions to get that information; there is a fear they may not even 
know that we need to heip them articuiate. My brother's sister's 
unde had appendicitis for 8 years, and you never asked me that 
question. 

Chairman Thomas. Aii i am trying to do is indicate there are a 
iot of reasons why it occurs, it is not just unidirectionai. 

Thank you very much. 

Does the gentieman from Louisiana wish to inquire? Does the 
gentieman from Caiifornia wish to inquire? 

Mr. Becerra. Dr. Borowitz, and actuaiiy Mr. Sioane and Dr. 
Birge as weii, because you mentioned how important it might be 
in the future to head toward eiectronic data as the main source of 
information on patients, the question i asked eariier of Dr. Detmer 
is. How do you make sure you get everyone on board, if you want 
to make sure aii patients have access to that same information and 
are provided the same type of heaith care coverage and expertise? 
How do you make sure the person who has to use that nonprofit, 
very vaiuabie dinic in the community but is one of those that oper- 
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ates strictly on the margin, how do you make sure they get on 
board quickly? 

Dr. Borowitz. I do not have a good answer to that question, ex- 
cept to say there are certainly large costs in the medical system 
now related to the generation of information for billing. The exam- 
ple I give in our own organization, which is nonprofit, is that it 
costs approximately $12 to collect the necessary documentation to 
submit the bill to the billing computer system. Those data are of 
no clinical value. 

If we developed clinical information systems that in fact collected 
clinically relevant information, and as a result we had standard- 
ized billing processes, there would be a lot of money available. It 
would probably not solve all the problems but it would solve some 
of those problems. We would get more value for the systems al- 
ready in place. 

Dr. Birge. In our universe, that effect has certainly helped us. 
The vast majority of our revenue is by capitation. So, we are not 
billing, per se, to an insurer. It costs us about $7 a visit for the 
system you saw. So, again, the dollars saved on the billing side can 
be transferred over to the information side. 

The other part is that we still have a paper record. It does exist. 
And if there would be some way to actually eliminate that, that is 
additional savings. It is just we have not figured out exactly how 
to do it. 

Mr. Becerra. I agree with everything you have said. It is just 
how do you make up for the startup costs? You are talking about 
institutions that probably have to get the computers and get the 
programmers and figure out how to work all of this out. How do 
you help them with that startup cost so they can help save money 
and start transitioning into that period where they are using only 
electronic data? 

Dr. Borowitz. I would suggest one of the things we need to know 
is. How much money are they already expending on information 
systems that are sequestered in the billing universe? 

Mr. Becerra. But that will not end so long as they have a pa- 
tient that came in and was tracked with paper records. That pa- 
tient remains that way. Somehow you have to start them into this 
new era. You are right, as soon as they get into it, they will prob- 
ably save money, but that will not help them to buy the computer 
to get them there. 

Dr. Borowitz. We are in the process of upgrading our entire sys- 
tem throughout the University of Virginia health system, and one 
of the things we have realized is there is a core data set that most 
physicians want. It is fairly straightforward information. It is a 
problem list; list of allergies, list of medications, list of encounters. 
Those are things that can be captured fairly easily and backloaded 
into a system so you start with value in the system right off the 
bat. 

When we brought up our regional immunization registry, one of 
the things we realized is no one would use the system unless there 
was information already in it. We had to go back and backload, 
through office charts, 2 years' worth of data. We hired a bunch of 
high school students to do that. You will have to have some data 
in the system up front for there to be value. There are core data 
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elements that all of us want that would provide for a lot of the 
needs we have. 

Dr. Birge. I would also have two suggestions, and I think you 
stated it earlier, but in the for-profit sector you could do things 
from a tax standpoint which could be advantageous. And for both 
the for-profit and not-for-profit sectors, this is a plea, but the re- 
quirements of various agencies, governments, insurers are so oner- 
ous and so expensive that if you took just 20 percent of that away, 
there would be a lot of money left over to work with information 
systems. 

Mr. Becerra. OK. Let me provide, if I may, a couple of other 
questions that I hope can be responded to quicKly. I know I do not 
have much time. 

Mr. Sloane, you mentioned that access to information on this 
data base that you have is limited to level of user, or I guess you 
mentioned different levels, the user levels and so forth. What gives 
you access? At what point does someone at the hospital or this pro- 
vider have access to this type of information on this data base? 

Mr. Sloane. Well, each user in the system is set up with a user 
profile. Typically, depending upon the type of position they have, 
whether or not they are a physician, a physician's assistant, a 
nurse practitioner, a file room clerk, or a medical assistant, we can 
restrict access to certain pieces of the information when we set up 
their profile. So that within each window of the application that 
you saw, we can set up every user to have either inquiry, add, up- 
date or delete capability, or no access to it. So it really is deter- 
mined by the medical group, on a need-to-know basis, what level 
of information a particular user should have access to. 

Mr. Becerra. So the data entry person— I think Dr. Borowitz' 
high school students had entered data— how do you restrict access 
to information if you could have a data entry person be almost any- 
one? 

Mr. Sloane. I n our circumstance we have data entry people who 
input information off the encounter tickets. They have absolutely 
no access to the clinical information system at all. There is not a 
need to have it, so they do not. They just cannot get into the sys- 
tem. Their user ID and password do not allow them access to the 
clinical information. 

Mr. Becerra. One final question, if I may, to anyone on the 
panel. As I asked Dr. Detmer, How do you protect that 
ultrasensitive information, the person who has AIDS or the person 
who has a mental history? How do you protect that, and how do 
you resolve the dilemma for the person who has had the informa- 
tion disclosed? 

Ms. Goldman. Well, I think one of the things Congress is trying 
to do is to create a standard of protection that allows people to get 
notice about information practices and make real choices so people 
can decide what is the most sensitive kind of information for them. 

Some people would consider cancer-related information or mental 
health, genetic tests, HIV-related. Everyone has, I think, a dif- 
ferent experience, depending upon the encounter, as to how much 
they want to protect it. So I think we can build some flexibility into 
a Federal policy that allows people to make those choices with their 
physicians, with their health care providers. 
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And the remedy piece of it, which I think you are asking about, 
is a very important part. We have seen some of the failure of the 
existing privacy laws related directly to lack of strong enforcement 
mechanisms or lack of strong remedies. Right now the CVS or 
Giant story may be anecdotal for people who felt violated by that 
and felt it was an inappropriate disclosure. There are very few 
remedies available to them. 

Dr. Birge. I would just add that certainly it is more of a political 
call, I am sure, but as far as the doctor in the trenches is con- 
cerned, that doctor wants all the information that is available at 
that time, regardless of sensitivity, so the trick is how to do that. 
And I would again toss out the example you have heard, on the one 
side the privacy issue which is very, very important, but on the 
other hand you could have extremely adverse outcomes all the way 
up to death simply because you did not know something that you 
should have known, and the family is going to be very upset at that 
unfortunate outcome. 

Mr. Becerra. Thank you. Thank you, Mr. Chairman. 

Chairman Thomas. Of course, our ongoing concern is that we do 
collect that data, and it just seems to me we fought the battle on 
preventive care and finally won by spending the money. 

Maybe we talk about rewarding those who provide us data in the 
usable form to move toward that outcome. They get rewarded in 
some way in the system, and those that do not, do not, which 
would get us the base level of data out there faster than would oth- 
erwise be the case. 

What I find is a bit of an anomaly. You walk into a doctor's office 
and behind you are these shelves of individual manila folders with 
patient histories, but if you give them your credit card, they go to 
a computer and the billing is all computerized. It is the mental set 
of not computerizing the records because they have the hardware 
in the office. Perhaps we need to push software development. 

But, clearly, if there was a reward for putting it in a particular 
form, I imagine the private sector software would be out there 
quickly, or some entrepreneurial doctor like Dr. Borowitz will have 
something on the market that has already been pretested at the 
University of Virginia. 

But I want to thank all of you very much. This is an important 
area, and we are going to continue to rely on you to assist us. We 
do not want to legislate by anecdote and do not want to make mis- 
takes that have to be corrected, but it is an area we will have to 
move in fairly quickly. 

Thank you very much. 

I would call today's final panel, then: Dr. Sherine Gabriel, associ- 
ate professor of medicine and epidemiology at the Mayo Clinic, 
Rochester, Minnesota; and Dr. Harry A. Guess, who is head of the 
epidemiology department of the Merck Research Laboratories. 

I would indicate to both of you that any written statement you 
have will be made a part of the record, and you can address us as 
you see fit, in any way you choose. 

As soon as we move this cutting-edge technology stuff out of the 
way. Dr. Gabriel, you may begin. 
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STATEMENT OF SHERINE E. GABRIEL, M.D., M.SC., ASSOCIATE 

PROFESSOR OF MEDICINE AND EPIDEMIOLOGY, MAYO 

CLINIC, ROCHESTER, MINNESOTA 

Dr. Gabriel. Thank you. Chairman Thomas, Members of 

Chairman Thomas. I will also indicate to you, Dr. Gabriel, that 
the microphone is very unidirectional. You will have to pull it down 
and speaK directly into it. 

Dr. Gabriel. Is this better? 

Chairman Thomas and Members of the Subcommittee, I am Dr. 
Sheri ne Gabriel, a physician and researcher at Mayo Clinic. I 
thank you for the opportunity to testify before you regarding the 
important issue of meaical records confidentiality. 

What I would like to do today is address two fundamental ques- 
tions bearing on this issue. The first is. What is the importance of 
medical-records-based research to the public; and the second is. 
What is the impact of legislation which restricts access to medical 
records on this category of research? 

I am privil^ed to work at a world-renowned medical institution. 
The Mayo Clinic's international reputation as a center of excellence 
in medicine and surgery grew out of the commitment of our found- 
ers, Drs. Will and Charlie Mayo, to integrate medical research and 
education with clinical practice. The Mayo brothers perceived a 
duty to use information from medical records to evaluate the out- 
comes of their care and to answer important public health ques- 
tions and, in 1907, pioneered the concept of the unit medical 
record, where medical data on each patient is stored in one self- 
contained packet that is kept in perpetuity. 

As you heard earlier from Dr. Borowitz, that is not the case vir- 
tually everywhere else in the country, where each provider keeps 
his or her own personal records about a particular patient. 

This concept led to the formation of REP, the Rochester Epidemi- 
ology Project. The REP includes a complete medical history of near- 
ly all Olmsted County residents from the time they were born or 
moved to the county until the time they died or moved away. 

The REP is a unique, national research treasury which has been 
continuously funded by the National Institutes of Health for over 
30 years. It has resulted in more than 1,000 scientific publications 
analyzing dozens of diseases and medical conditions. The central 
element of the REP is access to the complete medical records of all 
residents in the geographically defined population. 

Medical records research is vital to maintaining and improving 
the health of the American public. In fact, virtually every health 
hazard we know of today has been identified using information 
from medical records. Take AIDS, for example. If researchers had 
not been allowed to study the medical records of patients with un- 
usual immune deficiency problems in the late seventies, the charac- 
terization of the AIDS epidemic would have been delayed at a sub- 
stantial cost to the public's health. 

Similarly, the characterization of Lyme disease required collation 
of information from the medical records of children who were first 
presented with this new disease in Lyme, Connecticut. 

Other examples include studies examining the benefits and risks 
of estrogen treatment, as well as the risks of smoking, dietary fats, 
obesity, and certain occupations. 
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You may have read than an outbreak of flesh-eating strep was 
identified at Mayo in 1995. Without access to the medical records 
of patients with these unusual infections, characterization of this 
syndrome and isolation of this deadly bacterial strain would have 
been delayed, and over 100 schoolchildren, which our research 
showed were the unwitting carriers of this deadly germ in their 
throats, would have gone untreated. 

This discovery lead to the designation of invasive strep as a re- 
portable disease. Such a designation permits recognition and con- 
trol of epidemics such as the recent outbreak you may have heard 
about in Texas. 

Medical records research is also critical for evaluating the long- 
term side effects of drugs, the safety of medical devices or proce- 
dures, the cost effectiveness of alternative medical practices, and 
the usefulness of diagnostic tests. Let me give you an example or 
two in these categories. 

Long-term side effects. Nonsteroidal anti-inflammatory drugs, 
like Advil or Naprosyn, were on the market for decades before m^- 
ical records research determined these drugs were associated with 
a higher risk of death due to peptic ulcer disease, particularly in 
the elderly. This work led to the development of a new class of non- 
steroidal anti-inflammatory drugs, soon to be released, which prom- 
ise a much lower risk of these side effects. 

Clinical information for medical records is critical to studies on 
the safety of medical devices or procedures. For example, studies 
examining the risk of breast implants. 

The cost effectiveness of alternative medical practices could not 
be established without clinical information from medical records. 
For example, it was medical-records-based research which deter- 
mined that a 3-day course of in-hospital bed rest for people with 
acute low-back pain was just as effective and far less costly as the 
standard of care at that time of about a 10-day hospital stay. 

Finally, it was medical-records-based research at Mayo that led 
to the discovery of the serious side effects of the diet drug Fen- 
Phen and its eventual removal from the market. 

Every medical advance I have mentioned in the last few minutes 
relied heavily on information from patients' medical records. With- 
out access to this rich source of clinical information, many of these 
advances and countless others would not have occurred. 

Let me turn quickly to my second question. What is the 

Chairman Thomas. The light is a guide. Doctor, it is not an abso- 
lute necessity. 

Dr. Gabriel. Good. In scientific podiums, there is actually a trap 
door; and so when the red light goes on, the trap door opens. 

Chairman Thomas. We have one, too. Sit comfortably for a mo- 
ment. 

Dr. Gabriel. What is the impact of legislation which restricts ac- 
cess to medical records on this category of research? 

Legislative restrictions limiting access to medical records threat- 
en the very existence of this entire category of medical research. 
This is because individuals who refuse to authorize the use of their 
medical records for research purposes are systematically different 
in important ways from individuals who do. 
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The recent Minnesota privacy iaw provided us with the oppor- 
tunity to study these differences using a protocoi approved by our 
institutionai review board. We found that women were more likeiy 
to refuse authorization than men; that persons under 60 were more 
iikeiy to refuse than oider individuais; and persons with certain un- 
deriying iiinesses, such as mentai disorders, breast cancer, or re- 
productive probiems were aiso more iikeiy to refuse authorization. 

That means that studies describing the outcomes of these dis- 
eases or the effectiveness or cost effectiveness of treatments exciud- 
ing these individuais wouid be biased. They wouid simpiy give us 
the wrong answer. Moreover, studies focusing on these conditions— 
diseases of women, mentai disorders, conditions reiated to repro- 
duction— wouid be at even greater risk for incorrect resuits; and 
this, in turn, might hamper advances against these important prob- 
iems. 

Finaiiy, whiie our research was dear on the point that individ- 
uais who refuse authorization are systematicaiiy different from 
those who do not, the direction and magnitude of those differences 
varied from topic to topic. Whereas, you heard the overaii average 
was 4 percent, it varied wideiy. So not oniy may such research re- 
suits resuit in the wrong answers, but it wiii be impossibie to de- 
termine at the outset how wrong they wiii be or in what direction. 
Thus, the reiiabiiity and vaiidity of findings from such research 
wiii be suspect. 

Let me iiiustrate this probiem using an exampie. A study of de- 
pression foiiowing breast cancer wouid underestimate the mag- 
nitude of the probiem if depressed women systematicaiiy deciin^ 
authorization and were thereby exciuded. individuais who experi- 
ence unsatisfactory outcomes may aiso be more iikeiy to refuse au- 
thorization. if so, a study of a surgicai treatment with a high com- 
piication rate wouid underestimate the risks of surgery. 

Data such as these form the basis of heaith care poiicies, so the 
exampies above couid iead to a decision against funding a mentai 
heaith program to treat depression in women with breast cancer 
and to a decision to adopt a high risk surgicai intervention. Pa- 
tients need accurate information about heaith risks, disease prog- 
nosis, and outcomes of care in order to make informed decisions. 

in dosing, i wouid iike to comment briefiy on what i beiieve the 
reasons are behind the pubiic's strong desire to keep medicai infor- 
mation between the patient and his or her physician. 

Our research showed that a major concern reiated to the possibii- 
ity that insurers or empioyers might use sensitive information to 
an individuai's disadvantage. This concern is understandabie. Ai- 
though access to medicai records for research purposes may be the 
oniy access over which the patient is given any choice, there are 
iiteraiiy dozens of other opportunities for ioss of confidentiaiity dur- 
ing routine medicai care. 

For exampie, in an average outpatient medicai encounter in an 
integrated heaith care center, such as ours, the foiiowing individ- 
uais and groups must have access to the compiete medicai record 
in order to best serve that patient's needs: the appointment office, 
the registration desk, the physicians, physician assistants, nurses, 
EKG, iab, x-ray technicians who perform the necessary tests, and 
so forth. 
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In fact, for a typical inpatient encounter, it has been estimated 
that at least 75 health professionals and hospital personnel have 
access to the medical record. After all this is taken care of, a quali- 
fied nurse researcher, bound by the rules of an IRB and strict pa- 
tient confidentiality regulations, could be abstracting clinical data 
from the medical record which will be combined with similar data 
from hundreds of other patients to answer a specific public health 
question. The current Minnesota law and other proposed legislation 
influence only that nurse's access to the medical records and have 
no impact whatsoever on the 75 other points of access. 

Mr. Chairman, such legislation does not ensure the privacy of 
personal medical information. It does not address the public's con- 
cerns regarding potential misuse of personal health information by 
insurers and employers. Instead, it hinders scientific research and 
puts the public's health and well-being at risk for serious harm. 

Thank you for your attention. 

[The prepared statement follows:] 

statement of Sherine E. Gabriel, M.D., M.SC., Associate Professor of 
Medicine and Epidemiology, Mayo Clinic, Rochester, Minnesota 

Chairman Thomas, members of the committee, i am Dr. Sherine Gabriei, a physi- 
cian anci researcher at Mayo Ciinic. Thank you for the opportunity to testify before 
you regarciing the important issue of medicai recorcis conficientiaiity. 

Tcday, i wouici iike to ciiscuss two funciamentai questions bearing on this issue. 
The first is: What is the importance of medicai records-based research to the pubiic? 
And the second is: What is the impact of iegisiation, which restricts access to medi- 
cai records, on this category of research? 

i am priviieged to work at a worid-renowned medicai institution. Mayo Ciinic's 
internationai reputation as a center of exceiience in medicine and surgery grew out 
of the commitment of our founders, Drs. Wiii and Chariie Mayo to integrate medicai 
research and education with dinicai practice. The Mayo brothers perceived a duty 
to use information from medicai records to evaiuate the outcomes of their care and 
to answer important pubiic heaith questions and, in 1907, pioneered the concept of 
the "unit medicai record" where medicai data on each patient is stored in one seif- 
contained packet that is kept in perpetuity. This concept ied to the formation of the 
Rochester Epidemioiogy Project (REP) (See Appendix). The REP inciudes a compiete 
medicai history of virtuaiiy aii Oimsted County residents from the time they where 
born or moved to the county untii the time they died or moved away. The REP is 
a unique, nationai research resource, which has been continuousiy funded by the 
Nationai institutes of Heaith for over 3 decades, it has resuited in over 1000 sci- 
entific pubiications anaiyzing dozens of diseases and medicai conditions, and was 
ranked in the top 1% of aii NiH proposais in 1995. The centrai eiement of the REP 
is access to the compiete medicai records of aii residents of a geographicaiiy-defined 
popuiation. 

Medicai records research is vitai to maintaining and improving the heaith of the 
American pubiic. in fact, virtuaiiy every heaith hazard that we know of today has 
been identified using information from medicai records. TakeAiDS, for exampie. if 
researchers had not been aiiowed to study the medicai records of patients with un- 
usuai immune deficiency probiems in the iate 1970's, the characterization of the 
Ai DS epidemic wouid have been deiayed at a substantiai cost to the pubiic's heaith. 
Simiiariy, the characterization of Lyme disease required coiiation of information 
from the medicai records of the chiidren who first presented with this new disease 
in Lyme, Connecticut. Other exampies inciude studies examining the benefits and 
risks of estrogen treatment, as weii as the heaith risks of smoking, dietary fats, obe- 
sity, and certain occupations. You may have read that an outbreak of 'fiesh eating 
strep' was identified at Mayo in 1995. Without access to the medicai records of pa- 
tients with these unusuai infections, characterization of this syndrome and isoiation 
of this deadiy bacteriai strain wouid have been deiayed. And over one hundred 
schooi chiidren— which our research showed were the unwitting carriers of this 
deadiy germ in their throats— wouid have gone untreated. This discovery ied to the 
designation of invasive strep as a reportabie disease. Such a designation permits 
eariier recognition and controi of epidemics such as the recent outbreak in Texas. 
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Medical records research is also critical for evaluating the long-term side effects 
of drugs, the safety of medical devices or procedures, the cost effectiveness of alter- 
native medical practices, and the usefulness of diagnostic tests. Let me give you an 
example or two in each of these categories. Long-term drug side effects: Non-steroi- 
dal anti-inflammatory drugs (those are drugs like Advil or Naprosyn) were on the 
market for decades before medical records-based research determined that these 
drugs were associated with higher risk of death due to peptic ulcer disease, espe- 
cially in the elderly. This work has led to the development of a new class of non- 
steroidal anti-inflammatory drugs (soon to be released) which promise a much lower 
risk of these side effects. Clinical information from medical records is critical to 
studies on the safety of medical devices or procedures, for example, studies examin- 
ing the risks of breast implants. The cost effectiveness of alternative medical prac- 
tices could not be established without clinical information from medical records. For 
example, it was medical records-based research which determined that a 3-day 
course of in-hospital bedrest for acute low back pain was just as effective and far 
less costly as the standard of care at that time— a 10-day in-hospital course. Finally, 
it was medical records-based research at Mayo that led to the discovery of the seri- 
ous side effects of the diet drug F en-Phen and its eventual removal from the market. 

Every medical advance I have mentioned in the last few minutes has relied heav- 
ily on information from patients’ medical records. Without access to this rich source 
of clinical information, many of these advances would not have occurred. 

I'd like to turn now to the second question: What is the impact of legislation 
which restricts access to medical records on this category of research? Legislative 
restrictions limiting access to medical records threaten the very existence of this en- 
tire category of medical research. This is because individuals who refuse to author- 
ize the use of their medical records for research purposes are systematically dif- 
ferent in important ways from individuals who do. The recent MN privacy law pro- 
vided us with the opportunity to study these differences using a protocol approved 
by our Institutional Review Board (IRB). We found that women were more likely 
to refuse authorization than men, that persons under 60 were more likely to refuse 
than older individuals, and that persons with certain underlying illnesses such as 
mental disorders, breast cancer, and reproductive problems, were also more likely 
to refuse authorization. Studies describing the outcomes of diseases, or the effective- 
ness or cost-effectiveness of treatments which exclude such individuals, would be bi- 
ased— they would give us the wrong answer. Moreover, studies focusing on these 
conditions, i.e., diseases of women, mental disorders, and conditions related to repro- 
duction would be at greater risk for incorrect results and this, in turn, might ham- 
per advances against these important problems. Finally, while our research was 
clear on the point that individuals who refuse authorization are systematically dif- 
ferent from those who do not refuse, the direction and magnitude of those dif- 
ferences varied from topic to topic and, thus, are completely unpredictable. So not 
only may such research result in the wrong answers, but it will be impossible to 
determine how wrong they are, or in what direction. Thus, the reliability and valid- 
ity of fi ndi ngs from such research will be suspect. 

Let me illustrate this problem using a couple of examples. A study of depression 
following breast cancer would underestimate the magnitude of this problem if de- 
pressed women systematically decline authorization and were thereby excluded. In- 
dividuals who experience unsatisfactory outcomes may also be more likely to refuse 
authorization. If so, a study of a surgical treatment with a high complication rate 
would underestimate the risks of surgery. Data such as these form the basis of 
health care policies. So, the examples above could lead to a decision against funding 
a mental health program to treat depression in women with breast cancer and to 
a decision to adopt a high risk surgcal treatment. 

Patients need accurate information about health risks, disease prognosis, and out- 
comes of care in order to make informed decisions about their own medical care. 
Flealth care policy makers need high quality data on the costs and outcomes of care 
provided to all patients (not just a select group) in order to make responsible health 
care decisions for the population as a whole. The inclusion of all qualifying individ- 
uals is the only way to assure that accurate conclusions are drawn about the prog- 
nosis of disease, the outcomes of therapy, or the quality of care. Such research can 
be done while taking appropriate measures for maintaining patient confidentiality, 
such as careful review and oversight by Institutional Review Boards and strict ad- 
herence to procedures restricting access to patient-specific medical information. 

In closing, I would like to comment briefly on the reasons behind the public's 
strong desire to keep personal medical information between the patient and his/her 
physician. Our research showed that a major concern related to the possibility that 
insurers or employers might use sensitive medical information to an individual's dis- 
advantage. I understand this concern. Although access to medical records for re- 
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search purpcses may be the only access over which the patient is given any choice, 
there are dozens of other opportunities for loss of confidentiality during routine clin- 
ical care. For example, in an average outpatient medical encounter in an integrated 
medical center such as ours, the following individuals and groups must have access 
to a patient's complete medical record in order to best serve that patient's needs: 
the appointment office, the registration desk, all physicians, physician assistants, 
and nurses who provide care for the patient, as well as their receptionists and sec- 
retaries, all laboratory, medical, nursing and other students and their mentors, 
EKG, and x-ray technicians who perform the necessary tests, infection control offi- 
cers who regularly survey medical records for reportable diseases, continuous im- 
provement officers who strive to improve our health care processes and ensure pa- 
tient satisfaction, the business office for billing, the legal department, and insurers 
and other third party payers. In fact, for a typical inpatient encounter, it has been 
estimated that at least 75 health professionals and hospital personnel have access 
to a patient medical record. 1 After all this is taken care of, a qualified nurse re- 
searcher, bound by rules of an IRB and strict patient confidentiality regulations, 
could be abstracting clinical data from the medical record which will be combined 
with similar data from hundreds of other patients to answer a specific public health 
question. The current Minnesota law and other proposed legislation influence only 
that nurse's access to the medical record and have no impact, whatsoever, on any 
of the other points of access. Mr. Chairman, such legislation does not ensure privacy 
of personal medical information and does not address the public's concerns regard- 
ing potential misuse of personal health information by insurers and employers. In- 
stead, it hinders scientific research and puts the public's health and well-being at 
risk for serious harm. Your attention should be focused instead on stopping the ac- 
tual abuses of medical record information that harms patients. 

Thank you for your attention. 


Chairman Thomas. Thank you very much, Dr. Gabriel. 

Dr. Guess. 

STATEMENT OF HARRY A. GUESS, M.D., PH.D., HEAD, 
EPIDEMIOLOGY DEPARTMENT, MERCK RESEARCH LABORA- 
TORIES, BLUE BELL, PENNSYLVANIA; ON BEHALF OF MERCK 
& CO., INC., WHITEHOUSE STATION, NEWJ ERSEY 

Dr. Guess. Mr. Chairman and Members of the Subcommittee, 
thank you for the opportunity to speak with you today on the im- 
portant issue of protecting the confidentiality of the patient medical 
record. I am Harry Guess, pediatrician, epidemiologist, and head of 
the epidemiology department at Merck Research Labs, a division of 
Merck and Co., a global, research-based pharmaceutical company. 

As a physician, I took an oath to protect patients' confidentiality, 
and we at Merck support the efforts to protect the confidentiality 
of patient-identifiable medical information. At the same time, care 
must be taken not to inadvertently harm the interests of patients 
by unnecessarily restricting the access of medical information for 
medical research. 

As you consider the confidential standards for medical informa- 
tion, I hope you will appreciate how essential medical information 
and medical records research are to maintaining and improving the 
health of the American people. To ensure that any legislation or 
regulations do not jeopardize biomedical research, we believe the 
following four guides should be followed: 

First, legislation should exempt clinical research that is already 
subject to regulation by FDA, the Food and Drug Administration. 
This type of research is already stringently regulated by FDA, and 
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there is strong confidentiality protection for subjects in such re- 
search studies. 

Second, that legislation would not restrict the use of encrypted 
or anonymized data. The use of these coded records is critical to 
medical research and allows, for example, researchers to link 
encrypted information from several different sources, while ensur- 
ing the patients themselves remain unidentified. 

Third, the legislation should not discourage collecting and main- 
taining information necessary to monitor the safety and effective- 
ness of products that had been approved by the FDA or by foreign 
regulatory agencies. 

Finally, any national standards should preempt conflicting or in- 
consistent State laws concerning confidentiality. To allow States to 
add more stringent provisions would risk creating an inconsistent 
patchwork of requirements that could jeopardize biomedical re- 
search. You have already heard about that this morning, very elo- 
quently, from Dr. Gabriel. 

Let me give you one example of how regulation of medical infor- 
mation could inadvertently impede the conduct of research that is 
important to ensuring the safety of medicines. 

In 1995 Merck received FDA approval of our chicken pox vaccine. 
Despite decades of testing in thousands of children, you never real- 
ly can be sure of what rare yet important safety issues can be 
found once a medicine or a vaccine is incorporated into broad clini- 
cal use. To provide this level of reassurance, we undertook a study 
in more than 85,000 children to provide further information on the 
safety of the vaccine under conditions of clinical practice. We con- 
ducted the study with pediatricians at the Kaiser Permanente Med- 
ical Care Program of Northern California. 

The children received the vaccine, with parental consent, as part 
of their regular medical care. A computer-based search was per- 
formed of the medical records of the children receiving the vaccine 
and of a historical age-matched comparison group of children who 
had not received the vaccine. The information we received was 
encrypted so that Merck did not have any patient-identifiable data. 
The only people with patient-identifiable data were the pediatri- 
cians and their staff at Kaiser. 

This study provided valuable reassurance about vaccine safety 
under conditions of broad use in clinical practice and might have 
been impossible to conduct if it had been required to obtain specific 
informed consent for the medical records search from all of the par- 
ents of the vaccinated children and from the historical comparison 
group. 

This is just one of many examples of medical records research 
benefiting public health in a way that safeguards the patient- 
identifiable information. 

I thank you once again for the opportunity to express our views 
on this important topic. We at Merck believe that the confidential- 
ity of patient-identifiable medical information should be protected. 
We also believe this can be accomplished without jeopardizing ei- 
ther biomedical research or the improvements in health care result- 
ing from the research. 

Thank you very much. 

[The prepared statement follows:] 
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statement of Harry A. Guess, M.D., Ph.D. Head, Epidemiology Department, 

Merck Research Laboratories, Blue Bell, Pennsylvania; On Behalf of 

Merck & Co., Inc., Whitehouse Station, New J ersey 

I . I NTRODUCTION 

Mr. Chairman, and distinguished members of the Committee, thank you for the 
opportunity to speak before you today on the important issue of protecting the con- 
fidentiaiity of patient medicai information. I am Dr. Harry Guess, and I iead the 
Epidemioiogy department of Merck Research Laboratories, a division of Merck & 
Co., Inc. Headquartered in Whitehouse Station, New Jersey, Merck is a global, re- 
search-driven pharmaceutical company that discovers, develops, manufactures and 
markets a broad range of human and animal health products— both directly and 
through its joint ventures— and provides pharmaceutical benefit services through 
Merck-Medco Managed Care. 

The Epidemiology department at Merck is responsible for providing information 
on diseases to support clinical trials of new drugs or vaccines, and for conducting 
studies to help evaluate the safety of drugs and vaccines after approval. This work 
frequently involves collaboration with health care providers to study the safety of 
drugs and vaccines as they are used in clinical practice. I have also served as an 
external reviewer of research proposals submitted by managed care organizations to 
the US Food and Drug Administration (FDA) and the Centers for Disease Control 
(CDC) to conduct government-funded studies of drug and vaccine safety. I am also 
an Adjunct Professor of Epidemiology and Biostatistics at the School of Public 
Health at the University of North Carolina at Chapel Hill, where I teach epidemiol- 
ogy to graduate students. 

The purpose of my testimony today is to describe for you how important access 
to and the use of patient medical information are to medical research. I will (1) de- 
scribe for you the manner in which we conduct various types of clinical and epide- 
miological research at Merck and monitor the safety of our marketed products, (2) 
talk about the types of medical information that we use to conduct that research, 
and (3) outline some general principles regarding patient confidentiality that we 
think are key to appropriate legislation in this area. 

Let me begin by emphasizing that we at Merck support efforts to protect the con- 
fidentiality of patient-identifiable medical information, particularly in light of devel- 
opments in the area of information technology that have raised questions about lev- 
els of individual privacy. All of us are patients ourselves and we certainly recognize 
the need for protection of privacy. However, from a public health standpoint, we are 
concerned about simultaneously preserving necessary access to such data for re- 
search into new medicines that can cure or prevent disease. In protecting patients' 
privacy interests, we must be careful not to inadvertently harm the interests of indi- 
vidual patients by unnecessarily restricting access to information needed to deter- 
mine the safety and effectiveness of medical treatments, assess the usefulness of di- 
agnostic tests, identify disease risk factors, and monitor the cost-effectiveness of new 
interventions. Such research is needed to continue to be able to provide the Amer- 
ican people with health care that meets high standards of safety, effectiveness, and 
cost-effectiveness. The key to an appropriate legislative solution is to recognize and 
protect all of those interests. 

I nnovations in medicine are revolutionizing health care research, as the molecular 
basis of human disease is revealed. In the past 50 years, medical science has rid 
the world of smallpox; drastically reduced the incidence of many childhood diseases 
such as diphtheria, tetanus, polio, measles, whooping cough, and rheumatic fever; 
and discovered highly effective treatments for many chronic diseases such as asth- 
ma, peptic ulcer disease, coronary heart disease, hypertension, diabetes, and 
osteoporosis. When I trained in Pediatrics nearly twenty years ago, Haemophilus 
influenzae type b was the most common form of bacterial meningitis among children 
in the United States, affecting nearly one in every two hundred children. Over the 
past ten years, the incidence of this devastating disease has been reduced nation- 
wide by more than 95% by the introduction of vaccines. 

Given this track record of achievement, the public has come to expect a steady 
stream of innovations in treatment and prevention from the research-based pharma- 
ceutical and biotechnology industries. In fact, our domestic research-based compa- 
nies now discover and develop more than half of the new medicines used in the 
United States and around the world. Merck, for example, has introduced nine im- 
portant medicines in just the last three years, including CRIXIVAN® for HIV/AIDS, 
FOSAMAX® for osteoporosis, and SINGULAIR® for asthma in patients as young 
as six years old, and we are now conducting the research necessary to develop new 
medicines and vaccines to help patients around the world. Our investment in re- 
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search will also allow us to enter nine new therapeutic areas by the year 2002, rais- 
ing our total to 24— the broadest in the industry. 

Continued progress of this magnitude clearly depends on broad, multi-faceted re- 
search. This includes both basic research in chemistry, molecular biology, genetics, 
and pharmacology, which allows us to understand disease processes and identify the 
right compounds to combat the disease, and clinical research to evaluate the safety 
and efficacy of potential new medicines and vaccines. Finally, large-scale epidemio- 
logic and health services research studies are needed to help us design new clinical 
trials and to monitor how well treatments work in clinical practice. For example, 
epidemiologic research helped show us that while aspirin can reduce the risk of 
heart attacks in adults, it can cause a serious life-threatening illness called Reye’s 
syndrome when administered to children with chickenpox or influenza. Reye's syn- 
drome has been almost completely eliminated as a result of this discovery. 

With that general background in mind, we would like to propose the following 
four principles, to help guide legislation on confidentiality of medical information. 

I will first outline the principles, then discuss the types and use of patient informa- 
tion used in medical research and safety monitoring, and finally discuss each of the 
principles in more detail. 

(1) Clinical research that is subject to regulation by the Food and Drug Adminis- 
tration should be exempted from any new confidentiality requirements because this 
research is already subject to strict confidentiality protections: 

(2) Only information that directly identifies an individual should be subject to con- 
fidentiality requirements: use of anonymized, encrypted or encoded data should be 
excluded from restrictions on access: 

(3) Legislation should not inhibit the collection and maintenance of information 
to monitor or verify the safety and efficacy of approved products: and 

(4) There must be uniform national standards that preempt conflicting or incon- 
sistent state laws. 

II . Background— Different Types of Patient Medical I n formation 

Before I describe the various ways or settings in which pharmaceutical research- 
ers use patient medical information, I think it would be useful to explain the three 
different types of patient information that we use. First, and most pertinent to our 
discussion of confidentiality, is information that directly identifies individuals, by 
providing a name or address, for example. For purposes of our discussion today. I'll 
refer to this type of information as "patient-identifiable" information. 

The second type of information is referred to as "encoded" or "encrypted" informa- 
tion. In my testimony today, I will use the term "encrypted." This type of informa- 
tion is patient-identifiable information from which personal identifiers and means 
of directly contacting the individual (such as name, address, and social security 
number) have been replaced with a code, which is often in the form of a long num- 
ber. The identity of such an individual is not apparent from the information itself 
or from the code, but may be determined by use of the encryption key. Encryption 
keys have two important functions. One is to permit the keyholder to identify the 
patient in the event that this becomes necessary— for example if a safety problem 
is discovered that requires notifying the patient. The second function is to be able 
to "link" one data set with another data set on the same patients without having 
to reveal patient identities. For example, a study may provide information on a 
group of patients who receive medical evaluations at yearly intervals. By linking to- 
gether all of the visits on each patient, one may evaluate changes in medical condi- 
tions over time without having to reveal any patient-identifying information. One 
may also link encrypted information from pharmacy files to encrypted information 
from hospitalization records in such a way as to study the safety and effectiveness 
of drugs in very large populations without revealing any patient-identifying informa- 
tion. Essentially all patient information used in the research that I do is in an 
encrypted format, and the linking mechanisms allow for information about an indi- 
vidual contained in two or more data sets to be combined without revealing the 
identity of any individuals. 

The third type of information I will refer to as "anonymized," which means infor- 
mation from which all personal identifiers have been removed, and/or information 
that has been aggregated in such a manner that the identities of individuals who 
are the subjects of the information cannot be identified under any circumstances. 
There would be no means to identify individuals, dis-aggregate or link this informa- 
tion to other data sets containing information about such individuals by use of a 
code or a key. I nformation that is anonymized in this fashion is generally much less 
useful for research than is encrypted data because it may lack the detail that is re- 
quired for meaningful or sophisticated analyses. Also, with anonymized data it 
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would never be possible for anyone to notify the subjects if a safety problem were 
discovered or if it became highly important to obtain additional information. Never- 
theless, we do use such anonymized information in certain specific areas of research, 
which I will discuss in more detail below. 

It is important to keep the differences between these types of patient information 
in mind, because concerns about privacy are different with information that is 
encrypted or anonymized than they are with patient-identifiable information. 

III. Use of Medical I nformation— I n Clinical Trials 

Now I would like to describe for you some of the ways in which pharmaceutical 
researchers use these different types of information, and how patients' confidential- 
ity interests are protected. I would like to begin with a brief overview of the clinical 
drug development process, and the roles that FDA and Institutional Review Boards 
(IRBs) play in that process. 

Before testing any new drug in humans, a sponsor such as Merck must run a po- 
tential new drug candidate through comprehensive animal pharmacology and toxi- 
cology studies. With those and other pertinent data in hand, the sponsor files an 
Investigational New Drug application, or IND, with the FDA. The agency has a 
fixed period of time to evaluate the IND application and notify the sponsor if the 
agency judges the application not to be sufficient tojustify undertaking human clini- 
cal trials. Upon completion of the FDA review of the IND, the sponsor begins the 
clinical study program. 

The clinical program is designed to demonstrate the investigational drug’s safety 
and efficacy in treating, preventing or diagnosing a disease or condition in humans. 
It is the most time-consuming and resource-intensive segment of the drug develop- 
ment process, including third party clinical investigators, institutional review boards 
(IRB's), FDA r^ulation and involvement, and, in many cases, thousands of study 
subjects, or individual patients. Today the process is made even more complex be- 
cause companies such as Merck generally seek approval of new drugs not only in 
the United States but in many foreign countries. Consequently, such trials are sub- 
ject not only to FDA regulations but also to regulations by many foreign regulatory 
agencies. Safety reports must be filed with these agencies and different agencies 
may require differing types of studies to evaluate efficacy. 

While the design of clinical trials will vary from drug to drug and from disease 
state to disease state, there are some general similarities in their typical overall 
structure, or "phases" of development. This phased approach allows researchers to 
build upon information and knowledge generated during the preceding phases as 
they broaden their study of the drug. 

"Phase 1" studies are designed primarily to assess the clinical safety of the drug 
in humans, and to determine whether the compound is sufficiently safe to be stud- 
ied further in humans. These studies usually involve a limited number (approxi- 
mately 20 to 80) normal healthy adults, who can be kept under close medical obser- 
vation and monitoring for a short period of time. 

If the data generated during the Phase 1 studies are acceptable, the sponsor can 
begin "Phase 2" studies, which are intended to demonstrate (1) the drug's efficacy 
in treating the disease or condition in humans, and (2) common or short-term ad- 
verse effects and risks that might be associated with the use of the drug. Phase 2 
studies may also help establish the most appropriate dose of a drug. Such studies 
may involve up to several hundred patients, who are treated under conditions of 
close medical observation and monitoring. 

In "Phase 3" trials, the number of patients participating expands significantly (in- 
volving several hundred to several thousand subjects) in order to study the drug's 
use in conditions that more closely resemble those that would exist after approval. 
The study group should be adequately representative in order to allow the general- 
ization of the results to the population at large. Depending on the disease or condi- 
tion being studied, study subjects can generally be treated on an outpatient basis, 
and medical monitoring is usually less strict than during the earlier phases. Phase 
3 studies intended to provide the evidence of efficacy necessary for drug approval 
must typically meet four criteria: they should be (1) controlled (one group receives 
the investigational drug and another group receives either a placebo or an active 
drug known to be efficacious), (2) double-blind (neither study subjects nor investiga- 
tors know which patient is receiving which therapy), (3) randomized (study subjects 
randomly assigned to treatment groups), and (4) of sufficient size to provide a statis- 
tically sound test of efficacy. 

All of these clinical studies are subject to extensive FDA regulations, including 
protection of patient confidentiality and the requirement that an IRB approve the 
studies before they can be initiated. The IRB's primary function is to minimize risks 
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to the subjects, and to assure that the subjects are adequately informed about the 
trial and their treatment. The regulations require that the IRB be sufficiently quali- 
fied through the experience and expertise of its members to promote and to safe- 
guard the rights and welfare of study participants. The IRB has five members, each 
appointed by the institution involved, such as the hospital or academic institution 
at which the study is being conducted. Race, gender, cultural backgrounds, and sen- 
sitivity to community issues may be considered in appointing members. The IRB 
must include individuals with the necessary expertise and professional competence 
to review proposed research for compatibility with institutional commitments and 
regulations, applicable law, and standards of professional conduct and practice, and 
should include both women and men as members. Its members may not consist en- 
tirely of members of one profession. At least one member must have scientific exper- 
tise, usually a physician, and at least one member must have a primary interest 
in non-sci entitle areas. One member must not be affiliated with the institution or 
have an immediate family member who is affiliated with the institution: that person 
is often a member of the clergy or other representative of the broader community. 

The IRB reviews the study protocol, and is authorized to require changes to the 
protocol if necessary. The IRB weighs the potential risks to the patients versus the 
potential benefits. To approve a research study, the IRB must determine that the 
study meets seven criteria specified in FDA regulations, including, "where appro- 
priate, [that] there are adequate provisions to protect the privacy of subjects and 
to maintain the confidentiality of data." 

FDA regulations also require that no humans may be subjects in FDA-regulated 
research unless the investigator has obtained the "legally effective informed consent 
of the subject or the subject's legally authorized representative." To obtain a sub- 
ject's "informed consent," the regulations specify that information regarding eight 
basic elements must be provided to the subject, and six additional elements should 
be discussed "when appropriate." One of the mandatory elements is a statement 
that describes the extent to which confidentiality of patient records will be main- 
tained, and notes the possibility that the Food and Drug Administration may in- 
spect the records, including patient-identifiable information. The regulations also re- 
quire that the subject's informed consent be documented, using an IRB-approved 
written consent form signed by the subject or his or her legal representative. The 
IRB reviews the patient informed consent forms, and may require revisions to 
strengthen or clarify them if needed. 

The clinical investigator— the physician who is actually working with the study 
subjects— keeps patient-identifiable information for all of the study subjects, just as 
any treating physician would. This is critical to the investigator's ability to provide 
follow-up care to these patients, and to be able to contact them, if necessary, if some 
safety issue should arise. The study sponsor, such as Merck, receives only encrypted 
data from the investigator. 

Thus, in a clinical trial program, the study subjects have expressly consented to 
the researchers' use of their medical information. The IRB assures that there are 
adequate provisions in place to protect patients' confidentiality and the privacy of 
their data. We do not believe that there is any need to require any further protec- 
tions in this area. 

You may hear some mention of the "Common Rule" in discussions about confiden- 
tiality in research projects, and I want to explain the connection between the Com- 
mon Rule and the FDA regulations I talked about before. The Common Rule refers 
to the common standards for the protection of human subjects involved in research 
conducted, funded or regulated by 16 federal agencies, including the Department of 
Flealth and Fluman Services (DFIFIS). Those standards were published as a final 
rule in the Federal Register on J une 18, 1991. The FDA had previously adopted reg- 
ulations on the protection of human subjects in research that it regulates, published 
at 21 CFR Parts 50 and 56. Those regulations were largely consistent with the prin- 
ciples embodied in the Common Rule. On J une 18, 1991, the FDA published a final 
rule that modified its existing regulations to conform them with the Common Rule 
to the extent possible. There are some minor variations due to FDA's unique statu- 
tory mission under the federal Food, Drug & Cosmetic Act. Flowever, because the 
DFIFIS has adopted theCommon Ruleas applicable to all research with human sub- 
jects that it regulates, funds or conducts, clinical research that is subject to FDA 
regulation is also subject to the Common Rule to the extent that the two are not 
inconsistent. Where the Common Rule and the FDA regulations differ, the FDA reg- 
ulations would govern. 
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IV. Use of Medical Information in Epidemiological and Outcomes Research 

Generally, epidemiologists study populations to understand the extent, natural 
course and burden of disease. This information provides background for the safe and 
effective use of medicines. In contrast to clinical trials (which are experimental), an 
epidemiologic observational study tracks patients in the real world of clinical medi- 
cine. It is this science that is used to evaluate the risks and benefits of medications 
in large numbers of patients in a "real world setting." Epidemiologic studies have 
had a major impact on the public's health in general, and on our understanding of 
the risks and benefits of medications, in particular. For example, these studies docu- 
mented the relationship between aspirin and Reye's Syndrome in children, and the 
risk of vaginal cancer in daughters of women who took diethylstilbestrol (DES) 
while pregnant. They have also been instrumental in documenting risks and bene- 
fits of vaccines, oral contraceptives, and a number of other widely used medications. 
Clearly, epidemiologic studies are critical to the future of public health. 

One of Merck's sources of data includes information in the public domain. This 
type of data is encrypted by the agency or organization supplying the data, and can 
be obtained from regional, national and international claims-based and survey data. 
Examples include survey data from the National Center for Flealth Statistics, or 
Medicare data from the Flealth Care Finance Administration. Public-use data is pro- 
vided in an anonymous or encrypted form in which the user is not able to identify 
individuals who participated in the survey or study. This information may be used 
to determine the prevalence of a disease, or incidence of a disease relative to that 
found among users of an approved drug. We are not alone in our use of these impor- 
tant databases— the CDC, the National I nstitutes of Flealth (Nl FI) and other govern- 
ment institutions utilize these registries to track public health statistics, identify 
disease trends, and assess the economic impact of new medical and surgical treat- 
ments. 

Although large public-use databases are extremely valuable, they do not provide 
all of the necessary information needed to make drugs available to patients. There- 
fore, additional studies which involve either direct contact with a patient or collec- 
tion of encrypted medical information are necessary. These studies collect informa- 
tion on what kinds of patients are likely to develop the disease, how well existing 
treatments work, what the types and rates of complications are, what costs and 
medical care utilization are associated with the disease, and what the long-term 
consequences of the disease are. Such information is needed to design clinical trials 
necessary for drug or vaccine approval. We generally conduct such studies in col- 
laboration with managed care organizations, universities, or federal agencies such 
as the N I FI or CDC. We use the data from these sources in encrypted or anonymized 
aggregate form. Within this context, we cannot— nor would we have the desire or 
need to— identify an individual patient who has participated in these types of stud- 
ies. 

The information collected in this manner provides background for new clinical 
trials and also supports drugs that have been approved for use. This type of re- 
search is different from a clinical trial because it involves analysis of data under 
conditions of ordinary clinical practice, which can be different from the conditions 
in a clinical trial. The additional risk to the patient in being involved in this type 
of data review is minimal, since we are studying the treatment and care provided 
by the patients' own physicians and the impact of that treatment on the disease or 
condition. In contrast to a clinical trial, researchers are not proposing any particular 
treatment, prescribing any medications or providing any medical care. Medical infor- 
mation regarding a medical condition or the patient's health status is obtained via 
medical record review under the direction of the treating clinic or facility, or by 
third party patient interviews. In either case, Merck receives only data that is 
encrypted or in anonymized aggregate form. 

In support of clinical trials, these data are used to: 

• Determine how many patients should be included in a clinical trial in order to 
minimize patient risk while maximizing clinical trial results 

• Provide background on the incidence or prevalence of a disease 

• Provide information on current treatment practices 

• Aidin determining the appropriate patient population to include in the trial 

• Provide data on the usefulness of questionnaires to assess safety and quality 
of life 

In addition to supporting clinical trials, outcomes and epidemiology research is 
also used to 

• Identify risk factors for developing a disease 

• Determine the long-term outcome of a treatment on disease 
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• Identify patient populations who may not be receiving state of the art treatment 
or therapy 

• Identify prognostic factors and risks of disease complications 

• Determine the impact of a treatment on quality of life 

• Assess utilization of resources and provide information on the economic benefits 
of a treatment 

The importance of using encrypted patient-level data may be demonstrated by 
several studies that have impacted the health of the public and aided in the devel- 
opment of important drugs. For example, in collaboration with the government of 
Saskatchewan, we used encrypted data on all of the one million residents of that 
Canadian province to evaluate the risk of rare adverse events associated with use 
of drugs to treat arthritis in very elderly patients. For the past nine years we have 
been collaborating with investigators from Mayo Clinic as well as from J apan and 
Europe to study the long-term course of prostate diseases in men. This study has 
contributed numerous publications to the medical literature and greatly increased 
medical knowledge. 

We are currently conducting an epidemiology study in conjunction with a univer- 
sity to determine the prevalence of low bone mineral density, a measure of 
ostetporosi s, in nursing home residents. This study will also determine what factors 
predict hip fracture in these patients. Patients must undergo a bone scan and allow 
the researcher access to their medical records, but the information gained from 
studying the records of these patients may provide insight into ways we can en- 
hance the quality of life of nursing home residents by preventing hip fractures. The 
university IRB has approved the study, and all subjects have provided informed con- 
sent. The university researchers conducting the study provide us only with 
encrypted or anonymized data. 

In another study, we used clinical trial data combined with data published in the 
literature to articulate the economic value of a treatment with CRIXIVAN®, our 
protease inhibitor for the treatment of FIIV/AIDS. The clinical trial data was from 
our original clinical trials conducted before FDA approval of the product, and all 
study subjects had given informed consent to the use of their medical information. 
We simply re-examined those data in conjunction with the additional published data 
to simulate the long-term progression of the disease. The purpose of the cost- 
effectiveness model is to assist healthcare providers, payors and other decision- 
makers in determining health, reimbursement, and clinical policies. This model sug- 
gests that initiation of therapy with CRIXIVAN® alone and in combination with 
AZT and BTC before the first Al DS-defining illness increases survival at a cost that 
is generally accepted by current standards. 

V. Post -Approval Safety and Efficacy Monitoring and Reporting 

I n its role as the federal agency charged with helping to ensure the public health 
and safety relating to the use of drug products, the FDA has established extensive 
regulations to monitor the safety of drugs, biologies, and medical devices. FDA regu- 
lations impose on pharmaceutical companies mandatory reporting requirements for 
adverse experiences associated with the use of drug products in humans. To meet 
their obligations under this regulatory scheme, manufacturers must have access to 
patient medical information. These regulations contain stringent reporting time 
deadlines and record-keeping requirements that apply to both investigational drugs 
and marketed products. The purpose of the adverse experience reporting regulations 
and procedures is to support the FDA's efforts to protect the public safety by provid- 
ing the agency with information necessary to determine the safety profile of inves- 
tigational and marketed drug products. 

The vitality of this safety reporting system is critical to identifying safety issues 
in use of marketed products that were not identified in investigational studies. The 
reporting system is used to evaluate the seriousness of potential health problems 
and to alert the agency and health care community to take appropriate corrective 
actions. 

Because of its limited resources, the FDA heavily relies on manufacturers to in- 
vestigate reports of adverse experiences with their drug products. Manufacturers 
most often receive such reports directly from the treating physician for the patient 
involved. Sometimes patients themselves report their own adverse events. Whenever 
a manufacturer receives notice of an adverse experience associated with any of its 
products, the manufacturer is required to investigate the incident and to provide the 
information to the FDA. If additional information is not obtainable, a follow-up re- 
port is required to explain what steps were taken to obtain additional information 
relating to the adverse experience and why the information could not be obtained. 
The more detailed information that can be obtained about a particular adverse expe- 
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rience, the better informed the manufacturer, the FDA and the health care commu- 
nity can be about the safety profile of marketed products. By necessity, this requires 
knowledge about confidential medical record information. In fact, FDA's 1997 Guid- 
ance on adverse experience reporting specifies that before submitting any adverse 
experience reports to the FDA, a manufacturer must have four specific pieces of in- 
formation, including "an identifiable patient." This does not mean that the reporting 
physician must supply the manufacturer with the patient's name; the reporting phy- 
sician can provide the manufacturer with encrypted information on a specific pa- 
tient, as long as follow-up information can be obtained from the physician if nec- 
essary. 

The FDA has issued regulations to ensure that the identities of patients and those 
who report adverse experiences are held in strict confidence and are not disclosed 
by the FDA or by manufacturers who possess these reports. Manufacturers are re- 
quired to encode patient identifying information before submitting reports to the 
FDA, but must maintain sufficient information to permit additional information to 
be obtained, if necessary, from the person who reported the event. Moreover, the 
identity of the adverse experience reporter, usually the patient's health care pro- 
vider, must be deleted when reporting to the FDA. These privacy protections were 
instituted to enable the FDA to continue to collect information on safety risks asso- 
ciated with FDA-regulated products that is considered vital to protection of public 
health. In addition to the need to comply with FDA reporting requirements, Merck 
must also comply with the reporting r^uirements of foreign regulatory agencies. 
Typically an agency from a given country will want to be made aware of worldwide 
safety information on all products which are approved in that country. Because of 
this, Merck will often have to supply foreign regulatory agencies with information 
on adverse events occurring in patients in the United States. Foreign regulatory 
agencies also respect the need for patient confidentiality and hence do not require 
any patient-identifiable information. 

Learning more about the safety profile of marketed products may not be limited 
to reports that meet the regulatory definition of adverse drug experiences but may 
also include additional information that may lead to a better understanding of cer- 
tain aspects of a product's safety profile. Thus, for example, many drug and vaccine 
products are contraindicated for use in pregnant women because of a lack of clinical 
study information about the safety of the product for use in that patient population. 
Yet, manufacturers may choose voluntarily to collect and report to the FDA informa- 
tion about a drug product's use during pr^nancy even though that use is not associ- 
ated with an adverse experience. Information on use during pregnancy may be col- 
lected from health care professionals who report such use to drug manufacturers or 
the FDA. At Merck, we treat such information in the same manner as we treat in- 
formation associated with adverse experience reports. The purpose of collecting and 
reporting this information is to enhance our knowledge about the overall safety pro- 
file of a product in pregnant women. 

VI. Principles for Legislation 

As you consider confidentiality standards for medical information, I hope you will 
appreciate how vital medical information and records research is to maintaining and 
improving the health of the American public. Research on new medicines vitally de- 
pends upon patients' participation in clinical trials and researchers' access to their 
relevant medical information as well as to patient-level archival databases. 

In order to ensure that any new legislation, regulation or standards do not jeop- 
ardize biomedical research, we believe that the following four guides should be fol- 
lowed. 

First, clinical research subject to regulation by the Food and Drug Administration 
should be exempt from any new or additional requirements. This is because, as ex- 
plained above, this type of research and use of information is already stringently 
r^ulated by the FDA through application of the Common Rule, which, in turn, pro- 
vides strong confidentiality protection to the subjects of clinical trial research. 

Second, access to and use of anonymized or encrypted data should be excluded 
from any new requirements or restrictions applicable to information that identifies 
patients. Only data sources or collections of samples that directly identify individ- 
uals should be subject to confidentiality protections, since information that does not 
identify an individual cannot violate one's confidentiality interest. In addition, the 
code numbers should be permitted to be used for the purpose of linking to additional 
information about subjects in a database without triggering unnecessary or burden- 
some requirements, so long as the subjects remain unidentified. 
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Third, legislation should acknowledge and encourage the collection and mainte- 
nance of information to verify or monitor the safety and efficacy of products that 
have been approved by the FDA or international regulatory authorities. 

And finally, uniform national standards that preempt conflicting or inconsistent 
State laws concerning confidentiality are necessary. Individual states should not be 
able to add to or detract from federal rules in this area that is so critical to improv- 
ing the public health through research yielding better medicines. To allow states to 
add more stringent provisions would risk creating an inconsistent patchwork of re- 
quirements that will at best confuse and at worst seriously jeopardize biomedical 
research projects. Researchers whose primary concern should be quality and integ- 
rity of study design and execution should not also be faced with the additional com- 
plexities of satisfying inconsistent state requirements for research that crosses state 
lines. 


VI I . Conclusion 

I thank you once again for the opportunity to express our views on this important 
topic. We at Merck believe that the confidentiality interests of patients in their med- 
ical information can and should be protected. We also believe that this can be ac- 
complished in a way that does not jeopardize biomedical research and the quality 
and improvements in healthcare that result from that research. 


Chairman Thomas. Dr. Gabriel, I guess for most of us, if you say 
health in Minnesota, you think of the Mayo Clinic. My concern 
was, how did Minnesota wind up passing a law which probably 
wounded significantly one of its cash cows from a pure mercenary 
point of view? Did you work with the legislature prior to the pas- 
sage of the law? Was there a relatively high level of understanding 
among the legislators of the consequences of their decision? 

Dr. Gabriel. I cannot speak directly to that because I was not 
involved, but I know that some of my colleagues were involved, and 
the extent to which there was a complete understanding of the con- 
sequences, I guess I cannot speak to that. 

Chairman Thomas. Has there been a followup with the Min- 
nesota legislature after the passage of the law so that they could 
understand the consequences? 

Dr. Gabriel. Yes, the law has recently been amended. When the 
law was first put into place, as you may know, it required us to 
put in place a very complicated and costly computerized system, 
which you alluded to earlier. 

Chairman Thomas. And you chose to do it because you thought 
it was important. 

Dr. Gabriel. We chose to be in full compliance. And that is no 
longer required. That level of compliance is no longer required, ac- 
cording to the amendment. 

Chairman Thomas. And according to your testimony, and this is 
one of my concerns, again operating, if in fact we do, on an anec- 
dotal basis or an incomplete understanding of what we are doing, 
Minnesota apparently created the system that plugged one leak 
that may or may not have been a leak of the information source 
by dealing with the nurses but left open myriad areas of leakage, 
which, in fact, if an investigation were carried out, were probably 
the primary sources of leaks, if leaks occurred. Is that a relatively 
accurate statement? 

Dr. Gabriel. That is my impression. Any legislation that focuses 
strictly on research access would do exactly the same thing. I listed 
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in my written testimony not all 75 but certainly all of the other 
points of access where leakage could occur. 

I think the main concern is that legislation should address the 
concerns of the patients. And from our research, which we did on 
our local population, the main concern of the patient is not that a 
nurse abstracter will collect information and remove identifiers and 
lead to a published study. The main concerns are the issues of dis- 
crimination, that were brought up before, and the misuse of infor- 
mation by employers and insurers. 

Chairman Thomas. Dr. Guess, I can understand the narrow 
focus of your testimony in terms of Merck carrying out research 
and wanting us to stay away from FDA and the rest, but your ex- 
ample of Kaiser providing you with a research component, that was 
real-world and actually off of ordinarily collected data, which indi- 
cates to me that what we maybe need to focus on is not "what" but 
"who and why." If we can get the "who and why" right, then the 
"what" is less of a concern, except when you go to the patient- 
identifiable data level, which is of great concern. 

I am talking more about your area of research and the 
encrypting. I am not so wild about building barriers between FDA 
and FI FIS in terms of collecting data. I know you are, and you have 
to go it based upon who you are here for, but I am more interested 
in getting it right on all of the data that may flow than creating 
pockets of accuracy or I like what I have, so leave me alone. Any 
reaction? 

Dr. Guess. Well, sir, I really agree with the tone and the overall 
scope of your testimony. I think the concern we have about FDA 
is that we are subject to such stringent regulation in so many ways 
with FDA that adding another layer of complexity on top of that 
could create problems. 

Chairman Thomas. I would be concerned about layering, but if 
they are doing something right there, I want to borrow it and apply 
it in other areas, if it makes sense. I know it is a relatively narrow 
area you are dealing with, but in areas where there has been com- 
plete ability to maintain confidentiality, I want to look at those. 

Dr. Guess. Right. I think the issue with FDA is that, with drug 
research under FDA regulations, it is all interventional. So one can 
obtain informed consent from the subjects in a clinical trial, but in 
a retrospective data base search, where you are looking through 
anonymized records of several thousand people, some of whom may 
have moved away, because it is historical data, there would really 
be a problem of applying that paradigm in a sort of slavish way. 

Chairman Thomas. Thank you. 

Does the gentleman from California wish to inquire? 

Mr. Becerra. If I could continue that line of questioning. Are 
there then some aspects of the FDA protocol which would be most 
useful as we are trying to come up with ways to protect privacy in 
every other aspect of research and disclosure that occurs? 

Dr. Guess. Well, I think, as I said in my testimony earlier, that 
for encrypted or anonymized data, we feel that to subject that to 
the kinds of provisions we have with FDA studies could create a 
real burden. I think when it comes to patient-identifiable data, 
which is really the concern, I think some of the provisions we have 
with FDA do make sense. 
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When we collect primary data on identifiable patients or when 
investigators collect that, it does make sense to have stringent pro- 
visions on that. But when we obtain anonymized data, where we 
do not know who the patients are, I think that is a very different 
situation. 

Mr. Becerra. For either of the two panelists, what is the whole 
issue of the fact that more and more we are finding that medical 
research and answers to medical dilemmas are really more than 
just national in scope, they are really global? The whole AIDS epi- 
demic is certainly one of those illnesses or diseases that falls with- 
in that category. 

How do you go about establishing privacy laws that will be suffi- 
cient if the European Union on one end has very stringent privacy 
laws and we may have other countries in other parts of the globe 
who probably do not have any at all, and if they do, they may not 
be enforced? How do you go about doing the research going b^ond 
the U.S. border and ensuring that as you try to collect information 
which will give you the best result for your research that you are 
also providing the privacy that people deserve? 

Dr. Guess. I would be happy to take that, since we do research 
on a global scale. 

I do not claim to be an authority on what is going on in the Euro- 
pean scene, but I do know the pharmaceutical industry is working 
with the European Union to try to create a code of conduct that 
will enable pharmaceutical research, specifically clinical research, 
to be carried out in a way that is not impeded by some of the pri- 
vacy initiatives in Europe. 

I feel the problem is actually more a problem with some of the 
proposed initiatives in Europe actually inhibiting research in a way 
that becomes inappropriate and actually harmful to them. 

I will say in certain countries in Europe, such as Germany, for 
one, and France, to a certain extent, for another, epidemiologic re- 
search and health services research is very underdeveloped relative 
to what it is in the United States. As you go down the list of things 
that Dr. Gabriel mentioned, virtually all of those discoveries are 
American -based discoveries. We have a very strong force in that 
area. 

Dr. Gabriel. Could I respond to that? 

Mr. Becerra. Yes, of course. 

Dr. Gabriel. I think what you said also speaks to the importance 
of preemption, so that at least in the United States, we can have 
a common approach and a unified approach to these problems. 

As far as the international scene, there are a number of inter- 
national epidemiology and research groups that are now assem- 
bled. I am part of a couple of them that are devising international 
standards for these studies and trying to discuss that with the reg- 
ulatory agencies in their own settings. 

Mr. Becerra. Thank you. Dr. Gabriel. 

If I can follow up on that, where would you break on the issue 
of preemption in view of what you just said? 

Dr. Gabriel. Well, Mayo Foundation operates in five different 
States. That means the clinical practice as well as the clinical re- 
search crosses State boundaries, and it makes very little sense for 
us to have this patchwork of rules and regulations. It really ham- 
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pers both the practice and the research activities. So we would be 
in favor of it. However, I do agree with one of the previous speak- 
ers about the value of having States do their own reportable dis- 
ease and public health work. I think that is a different category. 
But, in terms of confidentiality, I think it makes a lot of sense for 
integrated health care delivery systems such as ours that operate 
in more than one State to have one set of rules. 

Mr. Becerra. Dr. Guess, if I could return to the whole issue of 
what you face in Europe as you try to conduct research, is part of 
the difficulty that you have in Europe or in certain European coun- 
tries, is it due more to commercial issues or factors here than it 
might be actually conducting the research where, for example, they 
may want to keep their particular research market closed to their 
researchers that are home based? 

Dr. Guess. I do not actually think so. I think some of the privacy 
initiatives there may come about because much of the health care 
is socialized, and so I think it is a privacy tradition. Also, the Ger- 
man privacy tradition has its origins in other problems, and so I 
do not think it is really a commercial interest. I think it just stems 
from the way the health care is organized. 

Mr. Becerra. You mentioned that that has caused Merck and 
other U.S. pharmaceuticals problems in trying to conduct the re- 
search necessary. 

Dr. Guess. Well, I think if certain of the provisions were to go 
through, problems would be caused. 

I will also say that much of the type of research we do, for exam- 
ple the study that we did at Kaiser, could not have been done in 
many parts of Europe. So there are certain things that, just from 
their very cumbersome restrictions, would be quite difficult to do 
in many parts of Europe. I do not mean to take Europe as a whole, 
but in many parts of Europe would be quite difficult to do. 

Mr. Becerra. Thank you. 

Mr. Chairman, if I could ask one last question. 

How does the European Union treat the various nations within 
the Union? Are they provided with particular discretion? For exam- 
ple, a European Union-wide preemption. Does that exist? 

Dr. Guess. I think the objective with the European Union direc- 
tive is to create some uniformity to the European requirements, 
and they are working toward this right now. So they are trying to 
create some sort of preemption of a patchwork of national laws 
right now. But the problem may be setting the level at an appro- 
priate level. 

Mr. Becerra. Thank you. Thank you, Mr. Chairman. 

Chairman Thomas. I would tell the gentleman this is going to be 
an ongoing area in which, if we do not coordinate between the Eu- 
ropean Union, the more emerging union of the European Union, 
than we have in the past, where the historical situation of drug 
companies going to Europe to do certain types of testing and re- 
search because of the laws in the United States making it more dif- 
ficult— that if, in fact, the European Union moves on the basis in 
large part of anecdotal or other reasons for restricting that re- 
search, we have the opportunity, were we to get it right, to carry 
on the research here. 
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But if we do not change other areas of the law, we will not have 
the ability to do it, notwithstanding the fact that we have now cre- 
ated an opportunity to transmit the information in a confidential 
way. So that what we do here is not the complete story. We have 
to deal with the opportunity to allow research to go on beyond the 
patient records and the collection of data. 

It would be an ultimate irony if the European drug companies, 
if there are any left after those laws are passed in Europe, would 
be coming to the United States to do the kind of research where 
the populations make sense on an analogous basis. Where they do 
not, Merck and other companies, obviously, are moving arounclthe 
globe; and what I would very much like to do is get it right and 
set a model which is appropriate so that we can at least urge oth- 
ers to follow our example. 

I want to thank all of you for the testimony that was given, and 
especially the last panel. Without any additional questions, the 
Subcommittee stands adjourned. 

[Whereupon, at 12:10 p.m., the hearing was adjourned.] 

[Submissions for the record follow:] 


American Association of Health Plans 

I . I NTRODUCTION 

The American Association of Heaith Pians (AAHP) is the iargest nationai organi- 
zation of heaith pians. AAHP represents more than 1,000 heaith maintenance orga- 
nizations (HMOs), preferred provider organizations (PPOs), and simiiar network- 
based pians. Together, AAHP member pians provide quaiity heaith services for ap- 
proximateiy 140 miiiion Americans. AAHP member pians are dedicated to a phiioso- 
phy of care that puts patients first by providing coordinated, comprehensive heaith 
care. 

The subject of today's hearing— how to craft federai iegisiation to protect against 
inappropriate use of patient-identifiabie heaith information, whiie at the same time 
permitting the coordination and deiivery of high quaiity heaith care— is one of the 
most important issues facing federai heaith poiicy makers today. Not oniy is there 
great potentiai for harm if patient information is misused, but our heaith care sys- 
tem reiies on patient trust as an essentiai ingredient to quaiity heaith care. The use 
of patient information by heaith care providers, heaith pians, and heaith research- 
ers has aiready greatiy improved the quaiity of heaith care. Continued use of this 
information wiii enabie us to buiid on that improvement. 

Chairman Thomas, members of the Committee, and staff have been extremeiy 
open to discussing this issue with AAHP and our member pians, and we appreciate 
their efforts to deveiop workabie, reai-worid poiicies and procedures regarding the 
confidentiaiity of patient-identifiabie heaith information. 

This statement highiights how heaith pians currentiy use patient-identifiabie 
heaith information to support quaiity assurance and improvement programs and 
emphasizes the importance of properiy structuring federai confidentiaiity iegisiation 
in order both to preserve patient confidentiaiity and ensure that quaiity of patient 
care can conti nue to be enhanced. 

II. Health Plans Support Safeguarding the Confidentiality of Patient- 
Identifiable Health Information 

AAHP and its member plans strongly support the goal of assuring consumers that 
health plans and health care providers will respect the confidentiality of their iden- 
tifiable health information. We believe that appropriate confidentiality safeguards 
for patient-identifiable information are essential to ensuring that health plan mem- 
bers feel comfortable communicating honestly and openly with their physicians and 
other providers. Without open communication between patients and their providers, 
treatment decisions are based on incomplete or inaccurate information and quality 
of patient care suffers. 
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AAHP's member plans have demonstrated their commitment to confidentiality by 
addressing this issue as part of AAHP's ongoing Putting Patients First initiative. 
Because AAHP is committed to addressing the issue of consumer confidence in 
health plans, association members must meet standards related to confidentiality. 
Member plans must safeguard the confidentiality of patient-identifiable health infor- 
mation through policies and procedures that, consistent with federal and state law, 
(a) address safeguards to protect the confidentiality of patient-identifiable health in- 
formation: (b) provide for appropriate training of plan staff with access to patient- 
identifiable information: and (c) identify mechanisms, including a clear disciplinary 
policy, to address the improper use of patient-identifiable health information. The 
policy reinforces that health plans should not disclose patient-identifiable health in- 
formation without the patient's consent, except when necessary to provide care, per- 
form essential plan functions such as quality assurance, conduct bona fide research, 
comply with law or court order, or for public health purposes. 

This policy on confidentiality joins other policies that are also part of AAHP's Put- 
ting Patients First initiative, covering areas such as information for consumers, phy- 
sician-patient communication, choice of physician, grievance and appeals, physi- 
cians' role in plan practices, and, of course, quality assessment and improvement. 

Virtually all of the current federal legislative pr^osals related to confidentiality 
recognize that health plans need access to patient-identifiable information for pur- 
poses of facilitating treatment and securing payment for health services. However, 
one area where there continues to be some confusion over health plans' need for in- 
formation relates to health plans' efforts to improve quality of care. 

It is true that, for some of the quality-enhancing activities health plans under- 
take, they are able to use non-identifiable health information— information that has 
been aggregated, anonymized, coded, or encrypted in such a way that the informa- 
tion no longer reveals the identity of particular individuals. Consistent with the vast 
majority of legislative confidentiality proposals that have been considered to date, 
AAHP believes that a patient's interest in confidentiality is pertinent only when his 
or her identifiable information is involved. Because aggregate, anonymized, coded, 
or encrypted information does not identify individuals, consumers need not be con- 
cerned about the use of this information. 

However, some of the fundamental, quality-enhancing activities undertaken by 
health plans do require the use of identifiable health information. The use of health 
information in health plan quality assurance and improvement activities can greatly 
enhance the quality of health care for both the individual plan member and the 
member population as a whole, and AAHP believes that health plan members 
should benefit from these quality improvement activities. These activities are not 
only fundamental to coordinated, quality care, but in many cases are also required 
of health plans under a variety of state and federal programs and regulations, as 
well as under voluntary private sector reporting and accreditation standards. 

III. Health Plans Use Patient-Identifiable Health Information to Enhance 

Quality 

Health plans use patient-identifiable health information in a variety of activities 
that improve the quality of health care. These activities, which focus on both the 
processes of delivering care as well as on the outcomes of care, include health pro- 
motion and prevention, disease management, outcomes research, and utilization 
management. Health plans' ability to enhance quality through these activities could 
be seriously jeopardized unless federal confidentiality legislation is properly struc- 
tured. 

Health Promotion and Prei/ention 

Health promotion and prevention activities improve quality by enabling plans and 
providers to identify members at risk for certain illnesses or eligible for certain serv- 
ices. Plans and providers can then reach out to those members to provide informa- 
tion to them and encourage them to seek out services when they can benefit most 
from intervention and before disease progresses. Often, determining who is at risk 
involves the use of patient-identifiable health information. Health plans add much 
of value in this area because they have access to claims data and can help busy phy- 
sicians accurately identify patients at risk of certain illnesses or who are eligible for 
certain servi ces— even among patients the physician may not have seen in some 
time. Once the plans have identified these members, they contact them and, in 
many cases, the members' physicians as well. Many plans encourage their physi- 
cians to follow-up with the identified members to schedule the necessary appoint- 
ments. 
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For example, nearly all plans have Implemented postcard or phone-call mammog- 
raphy reminder systems for their female members. Patlent-ldentiflable Information 
Is used to Identify female enrollees of a certain age who have not received a recent 
mammogram. United FlealthCare's plans use patlent-ldentiflable Information to sin- 
gle out women aged 50 to 74 who are overdue for a mammogram. The plans send 
reminder notices to these women as well as to their physicians so that the physi- 
cians can follow-up with their patients directly. As a result of this program, In 1995, 
United FlealthCare's plans across the country experienced Increases In mammog- 
raphy rates ranging from 30-45%. This program and others like It promote detec- 
tion of breast cancer In the earliest and most treatable stages. 

Disease M anagement 

Disease management activities Improve quality by Identifying members who have 
been diagnosed with certain chronic diseases and then coordinating and monitoring 
their care. Again, because health plans have access to claims data, they are well- 
positioned to Identify those members who will benefit most from disease manage- 
ment programs. Flealth plans then contact the Identified members and. In many 
cases the members' physicians. In order to encourage them to seek the appropriate 
care. 

For example, according to a recent study, 45.4% of all FIMOs had diabetes disease 
management Initiatives In place In J anuary 1996.i Flarvard Pilgrim New England 
has developed a comprehensive gestational diabetes management program that In- 
cludes directed case management and regular vision screenings. The plan uses pa- 
tlent-ldentiflable Information to Identify members with diabetes and Involve them 
In the plan's disease management program. As a result, the plan was able to In- 
crease annual retinal exams by 26%, eliminate diabetes-related newborn major mal- 
formations, and decrease the Incidence of low blood sugar reactions In patients re- 
ceiving Insulin therapy. 

Asthma management Is another area where health plans use patlent-ldentiflable 
Information to target members and Improve the quality of care delivered to them. 
As of January 1996, 50.4% of all FIMOs had asthma management programs In 
place.2 PrImeCare Flealth Plan, for example, examines clinic and hospital record In- 
formation to Identify children with asthma who are missing an Inordinate number 
of clinic appointments and who have high hospital admission rates. Working with 
the children's pediatricians, the plan Involves the children and their families In an 
asthma education and management program that Initially resulted In a 30% reduc- 
tion In emergency room visits and a 60% reduction In hospital admissions for par- 
ticipants of the program. 

Outcomes Research 

Another method health plans use to Improve the quality of care Is outcomes re- 
search. Flealth plans use patient Information to evaluate the effect of particular 
treatment programs, assess the typical course of a chronic disease over time, and 
Identify variations In outcomes that may be targeted for future Improvements In 
health care processes. 

For example, Kaiser Permanente of Northern California used patlent-ldentiflable 
Information to study the most effective treatment for a type of diabetes. Using Iden- 
tifiable health Information of their members who had been treated for diabetes, Kai- 
ser studied whether patients who matched a certain clinical profile and were treated 
with the drug Metformin experienced better outcomes than patients who did not 
have the same profile but who were also treated with Metformin. The outcomes 
analysis Indicated that. In fact, outcomes were better In the patients who matched 
the profile than In those who did not match the profile. This study provided Kaiser 
physicians with the clinical evidence needed to select the most effective course of 
therapy for their diabetic patients. 

Utilization M anagement 

Utilization management activities Involve evaluating the medical necessity and 
appropriateness of health care services both for the purposes of payment as well as 
for quality Improvement. Utilization management enables plans to respond to Inap- 
propriate patterns of care. For example, evidence suggests that hysterectomies and 
caesarean section deliveries are over-performed In the U.S. FI ysterectomi es are the 
second most common procedure— performed on 1 In 3 American women by the age 
of 60. In Italy, by comparison, the figure Is 1 In 6 and In France It Is only 1 In 18. 
Similarly, the Centers for Disease Control estimated that physicians performed 


iThe InnerStudy Competitive Edge Part II: Industry Report, September 1996, p. 76. 
2|bid. 
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349,000 unnecessary caesarean section deliveries (approximately 1 out of every 12 
deliveries) in 1991— unnecessarily placing women at risk of infection and unneces- 
sarily exposing them to the complications and trauma associated with major abdom- 
inal surgery. Health plans' utilization management programs require patient- 
identifiable information to ensure that patients receive necessary, appropriate, high- 
quality care in a cost-effective manner. 

Integrated Delivery of Services 

Integrated delivery of services enables health plans and providers to utilize pa- 
tient-identifiable health information in even more ways to improve the quality of 
care. Often, physicians are provided with increased access to patient information in 
order to aid them in their management of certain health conditions. For example, 
physicians at LDS Hospital in Salt Lake City created a computer-assisted manage- 
ment program for antibiotics and other anti-infective agents which Intermountain 
Health Care now uses in its hospital intensive care settings. The program compares 
historical patient data (rendered non-patient-identifiable) on infection characteris- 
tics and antibiotics effectively used in treatment to current patient infection data. 
The system then provides decision support to physicians by recommending anti- 
infective regimens and courses of therapy based on its comparison. The system also 
helps to prevent adverse drug reactions and promote cost-effective care by enabling 
physicians to choose anti-infective regimens that are the most effective for the low- 
est cost.^ In this example, patient-identifiable information that has been rendered 
non-identifiable is used to link previous patient record information on infection 
causes and treatment regimens to the computer-assisted antibiotic management pro- 
gram to improve care for current patients. 

As previously mentioned, not only are these activities that use patient-identifiable 
information fundamental to improving patient care, but many are also required of 
health plans under a variety of state and federal programs and regulations, as well 
as under voluntary private-sector reporting and accreditation standards. For exam- 
ple: 

• Activities to monitor, detect, and respond to over- and under-utilization are re- 
quired by state HMO and utilization review laws, federal laws, and private accredi- 
tation standards: 

• Data collection and analysis of condition-specific patient outcomes are required 
of plans participating in the Federal Employees Health Benefits Program; 

• Ongoing quality assurance programs that (1) stress health outcomes and pro- 
vide for the collection, analysis, and reporting of data; (2) monitor and evaluate high 
volume and high risk services and the care of acute and chronic conditions: and (3) 
after identifying areas for improvement, take action to improve quality, are required 
of Medicare-fChoice plans under Medicare; 

• Procedures to ensure health care delivery under reasonable quality standards, 
consistent with recognized medical practice standards, and ongoing, focused activi- 
ties to evaluate health care services, are required by the NAIC Model HMO Act, 
which approximately 30 states have adopted; 

• Quality management programs that "monitor, evaluate, and work to improve 
the quality of care and quality of services provided . . . utilizing a variety of quality 
management studies, reviews, and evaluations such as . . . medical record reviews" 
are required of plans seeking URAC/AAHCC accreditation: 

• Quality management standards that monitor aspects of patient care such as dis- 
ease management, acute and chronic care, and preventive care are also required of 
plans seeking URAC/AAHCC accreditation: 

• Health management systems that identify members with chronic conditions and 
offer appropriate services and programs to assist in managing their conditions are 
required of plans seeking NCQA accreditation: and 

• Actions and interventions to improve quality by addressing opportunities for im- 
proved performance are also required of plans seeking NCQA accreditation. 

It is clear that health plans’ efforts to improve patient care have been recognized 
by state, federal, and private regulatory entities alike. It also should be clear that 
compromising plans' abilities to improve patient care— whether by imposing exces- 
sive regulatory requirements or by leaving plans with inadequate or partial informa- 
tion for quality studies— would result in reduced quality of care. This would present 
an obvious quandary for plans legally and contractually required to conduct quality- 
enhancement activities, yet at the same time forbidden to use the information nec- 
essary to fulfil I these obligations. 


3Evans RS, Pestotnik SL, Classen DC, et. al., "A computer-assisted management program for 
antibiotics and other anti-infective agents," New England Journal of Medicine, January 22, 
1998; 338:232-8. 
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IV. Unduly Restricting Health Plan Use of Patient-Identifiable Health 
Information Would Reduce Quality 

Some of the current federal confidentiality proposals include provisions which 
would unduly restrict health plan use of patient-identifiable health information and, 
as a result, seriously threaten quality of care. One of the more restrictive and qual- 
ity-compromising approaches put forth would be to require health plans and provid- 
ers to obtain patient authorization each and every time they use identifiable health 
information. This type of authorization requirement would be impractical, costly, 
and a major burden for patients as well as for plans. Moreover, the nature of many 
of these plan activities is that they are seeking to identify individuals at risk— it 
would be impossible to obtain consent from individuals who had not yet been identi- 
fied. As a result, health plans would be unable to send mammography reminder no- 
tices or information on asthma management programs to plan members in need of 
these services. 

A second approach to restricting the use of patient-identifiable information for 
quality-enhancing purposes which has also been proposed by some would be to per- 
mit patients to opt-out of participating in quality-enhancing activities, such as 
health promotion, disease management, outcomes research, and utilization manage- 
ment. Such an opt-out provision would diminish the capacity of current health plan 
quality assurance programs and be counterproductive to improving the quality of 
patient care. In fact, withholding some patients' information within a health plan 
setting could make engaging in these quality-enhancing activities so impractical 
that plans and providers would forgo these activities for all patients— again, raising 
the potential conflict between plan obligations to improve quality and legal restric- 
tions on the use of the information needed to fulfill those obligations. For example, 
in the case of the computer-assisted management program for antibiotics, if patients 
were permitted to object to the use of their medical record information for this pro- 
gram, the data available to physicians would be incomplete and could skew the com- 
puter-generated treatment recommendations, potentially threatening the quality of 
care not just for the patient who opts out, but for all current patients. Such a threat 
could likely prompt the discontinuation of this innovative and much-lauded pro- 
gram. This would also be true for other quality-enhancement endeavors of this type. 

Leaving plans with incomplete information could also force current state, federal, 
and private reporting and quality improvement requirements to be modified and 
weakened to reflect the health plans' diminished capacity even to report on health 
outcomes or enrollees' use of services. This in and of itself would make plan quality 
improvement less effective and accreditation status less meaningful. On a more 
global level, our national goal of finding out the most effective ways to deliver 
health care— to make sure that patients get the best care for their health dollar— 
would be severely compromised. 

V. A Statutory Authorization Would Preserve Quality of Care With Fewer 

Procedural Barriers 

For the reasons just mentioned in the previous section, AAHP supports the inclu- 
sion of a statutory authorization in federal confidentiality legislation. A statutory 
authorization would authorize in law all of the widely accepted positive uses of pa- 
tient-identifiable health information, including facilitating treatment, securing pay- 
ment, and conducting health plan quality-enhancing activities. Both the Administra- 
tion's proposal and the National Association of Insurance Commissioners' (NAIC) 
draft Health Information Privacy Model Act follow the statutory authorization ap- 
proach. A statutory authorization would achieve the goal of providing plans and pro- 
viders with access to identifiable health information to improve quality of care. And, 
by working in tandem with strong penalties for the misuse of identifiable health in- 
formation, a statutory authorization would also achieve the goal of assuring consum- 
ers that plans and providers will respect the confidentiality of their identifiable 
health information. It is AAHP's recommendation that any penalties be consistent 
with the penalties already established by the Health Insurance Portability and Ac- 
countability Act of 1996 (HIPAA) for the wrongful disclosure of individually identifi- 
able health information. 

A slightly less effective alternative to the statutory authorization that has also 
been proposed is the consolidated authorization. As proposed, the consolidated au- 
thorization would allow plans to procure a single authorization at the time of enroll- 
ment to use identifiable health information for the purposes of facilitating treat- 
ment, securing payment, and conducting quality improvement activities central to 
patient care. While the consolidated authorization is a vast improvement over hav- 
ing to obtain separate authorizations each and every time patient-identifiable infor- 
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mation is used, this approach has iimitations that the statutory authorization does 
not. 

For exampie, one iegisiative proposai that has foiiowed the consoiidated author- 
ization approach has aiso inciuded provisions permitting revocation of that consoii- 
dated authorization. Yet, expecting heaith pians to fadiitate and pay for quaiity 
heaith care services after a patient has revoked his or her prior authorization for 
use of heaith information is a Catch-22 for heaith pians. Not being abie to use pa- 
tient-identifiabie information wouid interfere with pians' abiiities to effectuate pay- 
ment for services aiready rendered, fadiitate and coordinate treatment, and fuifiii 
iegaiiy required operationai functions— in essence, paraiyzing pians' abiiity to effec- 
tiveiy serve patients. On the other hand, pians— and physicians and hospitais— 
couid be held criminally liable for continuing to facilitate high quality treatment by 
using identifiable information. 

This particular legislative proposal has addressed this dilemma by giving health 
plans explicit permission todisenroll individuals from the plan upon the individual's 
revocation of his or her authorization. While health plans prefer not to have to 
disenroll patients, revocation provisions often provide them no choice. In fact, given 
the liability involved for unauthorized use of information as well as for substandard 
care, revocation by an enrolled individual should perhaps be treated as 
disenrollment without requiring any further action by the plan. It should also be 
noted that plans may have underway at the time of an individual's revocation qual- 
ity improvement activities, such as outcomes research, that would continue to re- 
quire the use of the patient's identifiable health information lest the entire endeavor 
be compromised by an individual's withdrawal of his or her information mid-study. 
This again points to the superiority of the statutory authorization approach. 

VI. The Same Level of Protection Should Be Reouired for All Types of 

Patient-Identifiable FIealth Information 

AAFIP believes that federal confidentiality legislation should require the same 
level of protection for all types of patient-identifiable health information. FIealth 
care providers rely on the completeness of medical records in their treatment of pa- 
tients. Segregating certain types of health information, such as genetic information, 
from the rest of the medical record could interfere with a provider's access to health 
information that can just as easily be a predictor of future health problems as other 
types of health information. Because of this, current practice in most health plans 
supports uniform treatment of all health information and, in many cases, genetic 
information is an integral part of the medical record indistinguishable from other 
personal health information. For example, given a notation of a positive marker for 
one of the breast cancer genes in a patient's record, a physician can encourage in- 
creased mammography screenings to detect any breast cancer tumors at an earlier 
and more treatable stage. 

Moreover, oftentimes genetic information may not be any more sensitive than 
other medical record information. FI IV status, treatment for mental health, repro- 
ductive history, or evidence of sexually transmitted disease can be considered equal- 
ly sensitive information. Because many types of health information can be consid- 
ered sensitive, singling out information based on its presumed sensitivity would only 
promote inconsistent protections. 

With advanced software capabilities available, it is far preferable to limit access 
to information through the use of passwords and other software controls than to re- 
quire plans and providers to physically store different types of information sepa- 
rately or treat different types of information differently. 

VII. There Should Be Nationally Consistent Rules in Areas that Affect 

Computerized Information Systems 

AAFIP believes that, given the complex and interstate nature of the way informa- 
tion flows in today's health care system, federal confidentiality legislation should ad- 
dress the need for nationally consistent rules in areas that affect computerized in- 
formation systems. Moreover, consistent rules governing disclosure of various por- 
tions of computerized health records will facilitate compliance by multi-state health 
plans and employers. 

VIII. Patients Should FIave the Opportunity to Inspect, Copy, and Request 
Amendment To Their Identifiable FIealth Information 

AAFIP supports patients having the opportunity to inspect, copy, and request 
amendment to their identifiable health information. Federal confidentiality legisla- 
tion should recognize, however, that health plans that arrange for services through 
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provider networks typically do not maintain central medical records files. While 
health plans that employ salaried physicians and those that contract with physician 
groups whose practice is solely focused on serving the health plan's members may 
be prepared to provide their members with access to a comprehensive medical 
record, even members of these plans may occasionally seek care outside of the plan's 
affiliated providers. Given that it is a provider who originates health information, 
we believe it is appropriate for providers to be responsible for facilitating access to 
records and appropriate amendment procedures. Federal legislation should permit 
health plans to direct patients wishing to inspect, copy, or request an amendment 
to their record, to their physician or other provider who originated the information 
in question. 

In addition, some proposed legislation includes a requirement to include patients' 
written requests for amendments and written statements of disagreement in the pa- 
tient's medical record. Flowever, for the growing numbers of plans and providers 
that utilize electronic medical records, this requirement would entail transforming 
the patient's written statements into electronic format in order for it to become part 
of the medical record. Instead, AAFIP suggests that a notation concerning the pa- 
tient's request to amend or statement of disagreement fulfill any such requirement. 

IX. Research 

Any provisions targeted to research in federal confidentiality legislation must en- 
sure that intra-plan quality improvement and other health plan operational activi- 
ties are not suddenly subject to a federal oversight process that was intended for 
the protection of human subjects participating in clinical research and that was 
never intended to encompass routine quality improvement activities related to 
health care treatment and payment. Intra-plan quality improvement activities 
should not be subject to federal oversight. 

Federal confidentiality legislation must also ensure that those health plans and 
providers that wish to provide patients access to clinical trials may continue to do 
so without being subject to a federal research approval process. Current federal 
oversight of clinical trials already subjects researchers to review by an independent 
board specially designed to protect and safeguard the interests of human subjects. 

X. Conclusion 

AAFIP wholeheartedly supports the goal of assuring consumers that health plans 
and health care providers will respect the confidentiality of their identifiable health 
information. At the same time, AAFIP believes that consumers should benefit from 
the quality-enhancing activities health plans undertake— many of which are re- 
quired by public regulators and private sector oversight entities. In order to craft 
federal confidentiality legislation that achieves these two goals, it is essential to 
have a firm understanding of how our current health care system works, how infor- 
mation flows within the system to make it work, and how health plans use informa- 
tion to improve the quality of health care. 

In this statement, AAFIP has highlighted the following recommendations for fed- 
eral confidentiality legislation: 

(1) Federal confidentiality legislation should not unduly restrict health plan use 
of patient-identifiable health information. Instead, legislation should statutorily au- 
thorize the use of patient-identifiable health information for the purposes of facili- 
tating treatment, securing payment, and conducting health plan quality improve- 
ment activities central to patient care. This statutory authorization would work in 
tandem with penalties for misuse that are consistent with FIIPAA. 

(2) Federal confidentiality legislation should require the same level of protection 
for all types of patient-identifiable health information. 

(3) Federal confidentiality legislation should address the need for nationally con- 
sistent rules in areas that affect computerized information systems. 

(4) Federal confidentiality legislation should permit health plans to direct patients 
wishing to inspect, copy, or request an amendment to their record, to their provider. 
In addition, any requirements to include written statements submitted by the pa- 
tient in the patient's record should permit plans and providers to include a notation 
of that a written statement exists if it is moretechnolqgically feasibleto do so. 

(5) Any research provisions included in federal confidentiality legislation must be 
carefully constructed to ensure that intra-plan quality improvement activities are 
not suddenly subject to a process that was intended for the protection of human sub- 
jects participating in clinical research and that was never intended to encompass 
routine quality improvement activities related to health care treatment and pay- 
ment. In addition, any research provisions must ensure that those health plans and 
providers that wish to provide patients access to clinical trials may continue to do 
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so without being subject to a federai research approvai process. Current federai 
oversight of clinicai triais already subjects researchers to review by an independent 
board specially designed to protect and safeguard the interests of human subjects. 

We look forward to working with the Committee in its continued work on federal 
confidentiality legislation. 


Statement of American Association of Occupational Health Nurses 

(AAOHN) 

The American Association of Occupational Health Nurses, Inc. (AAOHN) appre- 
ciates the opportunity to submit written testimony to the House Committee on Ways 
& Means, Subcommittee on Health for the hearing record on the matter of Health 
Care I nformation Privacy and Confidentiality. We want to thank the Chairman and 
express our special appreciation for his leadership on this important issue. 

Our primary interest in participating in these hearings is to urge Congress, in the 
strongest terms, to enact truly comprehensive medical records confidentiality legis- 
lation. In summary, we believe that for Congress to be successful in this area, it 
must craft legislation that will ensure that all medical records are protected under 
the law regardless of the mode of payment or the setting where the health informa- 
tion is obtained or maintained. 

AAOHN is the professional association for more than 13,000 occupational and en- 
vironmental health nurses who provide on-the-job health care for the nation's work- 
ers. Occupational health nurses are the largest group of health care providers at the 
worksite. As such, our professional nurses assume responsibility for all aspects of 
health and safety for individual workers and the work environment. AAOHN sup- 
ports the development of uniform laws, rules and procedures governing the use and 
disclosure of health care information. AAOHN has had a long-standing interest in 
the debate on confidentiality of health information. The Association has developed 
position statements and guidelines on the issue to ensure that the voice of the occu- 
pational and environmental health nurse is heard in Washington. 

Background 

In the course of their jobs, occupational health professionals collect personal infor- 
mation about the health and lifestyles of their company's employees. AAOHN mem- 
bers are responsible for a great deal of data collection and maintenance of personal 
health information. This often includes records that document medical and/or health 
surveillance activities, wellness programs, pre-job placement and return-to-work 
physical examinations, and other similar types of worksite health initiatives. It is 
our observation that, to date, the confidentiality issues surrounding the protection 
of health information gathered and maintained at the worksite have gone largely 
unnoticed in the confidentiality debate. Health care information obtained and main- 
tained at the worksite is both personal and sensitive. Clearly, health information 
records found at the worksite are as important to the confidentiality interests of the 
nation's workers as the patient data contained in the more traditionally thought of 
medical record. Worksite information, if improperly used or released, may be ^ually 
as harmful to an employee's interests as unauthorized disclosure of more traditional 
medical records. 

AAOHN maintains that employers should have access only to that amount of 
health information necessary to determine whether a worker may perform his or her 
job in a safe manner. For example, we believe that in cases of fitness for work 
exams (e.g., health surveillance, pre-job placement and physical examinations, and 
return-to-work physical examination records) health care professionals should pro- 
vide the employer with a written determination based on the medical record rather 
than handing the employer the actual record itself. 

Also, in cases in which workers' compensation benefits are at issue, information 
obtained through the company's wellness or employee assistance programs should 
not be used to defeat the claim. Employees seeking medical or disability payments 
under state workers' compensation laws should not be forced to sign releases cover- 
ing their entire medical record in order to file their claim. Only information directly 
relevant to the illness or injury underlying the compensation claim and any appro- 
priate secondary injury determination should be available. No other information 
should be released without meaningful, uncoerced consent on the employee's part 
for a more expansive disclosure. 

Limiting the amount of personal health information an employer may learn about 
his or her employee is not a novel or untested regulatory approach. The "bloodborne 
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pathogens" regulations issued by the Occupational Safety and Health Administra- 
tion (OSHA) explicitly requires that such information must be kept confidential and 
"not disclosed or reported without the employee's express written consent to any 
person within or outside the workplace except when required by this section or as 
may be required by law.''i 

The law also narrows the extent of the information provided to the employer to 
that which is necessary to make a determination regarding work fitness. For exam- 
ple, the regulation states that the "healthcare professional's written opinion .... shall 
be limited to whether (a particular treatment) is indicated for an employee, and if 
the employee has received such (treatment). 

We believe that Congress should enact a law to protect individually identifiable 
health information utilizing the standards set forth in the bloodborne pathogens reg- 
ulations. 

To be clear, occupational health professionals have an ethical obligation to safe- 
guard health information confidentiality. AAOHN's ethical tenets caution against in- 
appropriately disclosing confidential information yet recognize, however, that there 
are a number of appropriate ethical and legal exceptions to the rule. For example, 
it is perfectly ethical and legal to disclose information concerning threats of homi- 
cide, threats of suicide, reportable diseases, child or elder abuse, any injury caused 
by firearms or other violent acts, and other information covered by law. Other types 
of disclosures for specific purposes such as controlled research, emergencies, civil, 
judicial and administrative purposes, law enforcement, oversight and payment may 
also be appropriate. 

Employers must be able to access certain personal health information when con- 
sidering pre-placement testing, fitness for work exams and work place safety health 
testing. Specific limited information must be available to employers making reason- 
ablejob accommodations in cases of disability or reviewing claims for workers' com- 
pensation benefits. In addition, because employers are also responsible for providing 
a number of other types of benefits such as health and disability insurance, family 
medical leave and employee assistance programs, they may require that certain spe- 
cific health information be disclosed. AAOHN firmly believes that employers should 
be allowed to administer these important programs in an efficient manner. 

Unfortunately, occupational health nurses are often pressured by employers to re- 
lease a workers' entire medical record. As such, the occupational health professional 
is caught between management demands and the nurse's ethical responsibility to 
protect the employee's confidentiality. Many of our members can attest to the fact 
that employers often pressure occupational health nurses to divulge the confidential 
health information of their employees. For too many occupational health nurses this 
ethical and legal dilemma is not a theoretical issue. The cases of BettyeJ ane Gass 
and Kathleen Easterson provide two such examples: 

BettyeJ ane Gass 

BettyeJ ane Gass became a registered nurse when she passed her Kentucky Nurs- 
ing Boards in 1975. She received her degree in nursing from Western Kentucky Uni- 
versity. Shortly thereafter, Ms. Gass began working at both Western Kentucky Uni- 
versity and the Lord Corporation on a part-time basis. She later left the employ- 
ment of Western Kentucky University to become a full-time Health Services Special- 
ist at the Lord Corporation's Bowling Green plant. 

In that position BettyeJ ane Gass was responsible for providing treatment to em- 
ployees who sustained injury or became ill. She was also responsible for maintaining 
the case histories of workers; coordinating paper work flow for injury compensation 
reports: scheduling pre-employment physicals and follow-up physician visits; prepar- 
ing summaries and reports; and maintaining OSHA record-keeping requirements as 
well as coordinating activities of the company's wellness program. She was asked 
to return to part-time status in 1993 and was terminated on September 7, 1995, 
without prior notice after approximately thirteen and one-half years at the Lord 
Corporation. 

On that date, the human resource manager demanded access to the routine phys- 
ical examinations given to all plant employees. BettyJ ane Gass refused to turn over 
the keys to the filing cabinet where the worksite health information was kept. She 
refused to violate her ethical obligations and despite a written company policy that 
expressly stated that health services personnel should maintain confidentiality and 
provide limited access to the medical files, she was fired for "insubordination." The 
state court that heard her case issued a summary judgment stating that Ms. Gass 
"failed to show that her discharge was in violation of any fundamental and well de- 


129CFR Ch. 1910.1030. 
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fined public policy as evidenced by a constitutional or statutory provision." Bettye 
J ane Gass has filed an appeal and the case is still in pending litigation. 

Kathleen Easterson 

In the case of Kathleen Easterson, the issues of employer pressure resulting in 
the termination of an occupational health nurse are again presented. Kathleen 
Easterson, an occupational health nurse and Assistant Director of Nursing and Di- 
rector of Employee Health at a New York area medical center, was terminated by 
her employer when she refused to disclose the contents of a doctor's note containing 
an employee's non-occupational diagnosis of severe headache and TMJ trauma. Like 
the case of Bettye J ane Gass, the termination occurred despite the fact that there 
was an explicit corporate policy pertaining to medical records confidentiality. 

In the court case that followed the hospital's actions, Ms. Easterson sued for 
wrongful discharge and reinstatement of employment. Ms. Easterson explained to 
the court that she believed that the worker in her care had a reasonable expectation 
of privacy with respect to the medical records k^t in her care. She believed this 
to be true because of the existence of the nurse-client confidential relationship. She 
explained to the court that the employer's policy and practice of reviewing an em- 
ployee's medical record without consent should not be tolerated. If employers were 
allowed to continue this policy, she argued, it would erode trust in the health care 
system and should therefore, be held to be against the interests of good public pol- 
i^. Ms. Easterson maintained that the doctor's note was part of the employee's con- 
fidential record and that there was no governmental compulsion to reveal the em- 
ployee's medical record. 

Unfortunately, the two lower courts that heard the case held that there was no 
nurse-client relationship between the occupational health nurse and the employee. 
In addition, the court held that the doctor's note at issue was not information ac- 
quired by the nurse in attending the employee/client. The court also found that the 
doctor's note was not necessary to enable the nurse to act in a nurse-client capacity. 
The court determined that the doctor's note did not create a substantial and specific 
danger to the public health. Finally, the court determined that there was no basis 
in law upon which to provide Ms. Easterson with relief for her claims. 

AAOHN believes that the lack of legal recourse in both the Gass and Easterson 
cases is egregious and should be corrected through Congressional enactment of com- 
prehensive confidentiality legislation. 

Greater Protections Should Be Created Under Federal Law 

AAOHN maintains that workers must be allowed to feel that their private disclo- 
sures will be treated in a dignified and confidential manner. The existence of the 
patch work of state laws does not always provide such assurances in the worksite 
setting. Under the laws of many states, employers are not prohibited from accessing 
detailed personally identifiable employee health information with the company. This 
is true because the occupational health professional is viewed as an agent of the em- 
ployer, not as a health care provider with a duty of confidentiality to the patient- 
employee. In addition, courts have found that physicians representing employers are 
not bound by the physician-patient duty of confidentiality.^ 

At the same time, health care professionals have been held liable in some states 
for violations of their professional duty to respect privacy. For example, when a pri- 
vate physician notified an employer that an employee had a "long-standing nervous 
condition with feelings of anxiety, and insecurity," the patient won an award for 
damages from the physician because the patient had asked not to have the informa- 
tion released and because the court could find no compelling reason for the disclo- 
sure.4 

In another case, the West Virginia Supreme Court held that under the state's 
workers' compensation statute, physicians can allow employers access to written 
medical reports but not to information collected from oral communications. The 
court also ruled that employees can sue both their physicians for releasing confiden- 
tial information and their employer for requesting the information. ^ 

In still other cases, health care professionals have not been held liable in at least 
one state that has attempted to protect patients from unfair information practices, 
for arguably the wrong reasons. In a Maryland case, a plaintiff named Leo Kelly, 
J r., brought suit against a physician named Dr. Brad Lerner based on medical mal- 
practice. In that case the parties agreed to submit the claim to binding arbitration. 


^Rogers v. Horvath, 237 N .W. 2d 595 (M ich. 1995). 

^Hornev. Patton, 287 So.2d 824 (Ala. 1974). 

^Morris v. Consolidation Coal, 446 S.E.2d 648 (W.Va. 1994). 
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The plaintiff hired an expert witness named Dr. Horst Schirmer to testify that Dr. 
Lerner had breached the standard of care by performing an operation known as a 
transurethral resection of the prostate ('TURP") on the plaintiff. 

On cross-examination, Lerner's counsel sought to impeach Schirmer by introduc- 
ing a copy of a pathology report that indicated that Dr. Schirmer had performed the 
identical surgery under conditions he alleged constituted a breach of care on the 
part of Dr. Learner. The subject of that pathology report was William Warner. 
Based on this use of his medical records, Warner sued Learner alleging that a viola- 
tion of the Maryland Confidentiality Records Act of 1990, resulted from Lerner's im- 
proper taking and use of Warner's medical records without his prior consent. War- 
ner V. Lerner, 115 Md. App. 428, 693 A. 2d 394 (1997). Lerner filed a motion to dis- 
miss the case which the Court granted on the grounds that the law stated that in 
litigation "a health care provider may disclose a medical record without the author- 
ization of a person in interest." Despite the fact that the Maryland legislature in- 
tended to protect patients from violations of their confidentiality, they did not fore- 
see that health care providers such as Dr. Lerner would use a provision apparently 
intended to allow physicians to defend themselves in malpractice actions for other 
purposes. The Court stated: 

[w]e are troubled here ... [djespite this Court's quite obvious discomfort, maybe 
even displeasure, or its severe reservations regarding just what was intended by the 
general assembly, the language of the statute is clear, and we must give meaning 
to those words as those words set forth by that deliberative body. 

This case points out some of the more egregious perils and pitfalls that exist in 
the current patch work quilt of state confidentiality laws. 

AAOHN believes that workers must be provided with adequate confidentiality 
safeguards regardless of where the personally identifiable health information is ob- 
tained or maintained. We believe that Congress, therefore, must enact comprehen- 
sive uniform medical record confidentiality legislation in order to protect both work- 
ers and occupational health professionals. Without an appropriate amount of care- 
fully crafted legal protections, health care professionals will continue to have dif- 
ficulty in protecting workers' personal health care information and struggle with the 
burdens of carrying out their ethical obligations. 

The "Medical Information Protection Act of 1998" (Draft) 

AAOHN has indicated its support for a number of elements contained in the lat- 
est draft version of the "Medical Information Protection Act of 1998," prepared by 
Senator Robert Bennett (R-UT) and co-sponsored by Senator J im J effords (R-VT). 
Although this bill has not been introduced in either the Senate or House we com- 
mend several sections of this proposal to your attention. I n general, we believe that 
this proposal would provide sufficient protections without creating unreasonable 
burdens on participants and providers in the health care system. The proposal pre- 
scribes thefollowing federal standards that would: 

• provide individuals with access to their own health information and the right 
to make corrections: 

• impose civil and criminal penalties for wrongful disclosure and mishandling of 
protected medical records; 

• limit an individual's personally identifiable health information that could be 
disclosed without consent to certain specified circumstances (e.g., emergencies, 
health research conducted by an approved certified institutional review board, fraud 
and abuse, etc); and 

• require that a notice of confidentiality practices be posted in public. 

I n general the proposed legislation would also preempt state law. 

AAOHN supports defining the "term health information" broadly enough to in- 
clude medical records obtained or maintained at the worksite for purposes other 
than treatment or payment. We also support the draft bill because it would require 
that entities that create health information post a notice of their confidentiality 
practices. The simple practice of posting such a notice, we believe, will allow employ- 
ees an opportunity to gain a clearer understanding of their rights. It will also pro- 
vide employees with a better understanding that individuals do, indeed, have the 
power under the law to take legal action against violators when appropriate. 

In addition, we are encouraged by the bill's criminal sanctions provisions because 
we believe it is essential that those who would knowingly and intentionally obtain 
personally identifiable health information and disclose this information in violation 
of the proposed law be penalized.^ 


^The "Medical I nformation Protection Act of 1998," Title III, Subtitle A, Section 301(a). 
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We suggest, however, that the draft bill could be strengthened by extending pen- 
alties to those circumstances in which individuals are "attempting" to obtain person- 
ally identifiable information for purposes of unauthorized disclosure. It is not 
enough, in our view, to merely penalize those who are successful at inappropriately 
obtaining and disclosing personally identifiable health information. The recent news 
stories r^arding the highly aggressive marketing practices of certain health related 
corporations remind us that greater protections are essential. The change we pro- 
pose would improve the bill and serve as a significant deterrent against inappr^ri- 
ate disclosures. We note that at least one previous draft version of the bill contained 
this important provision and suggest that any further drafts would be greatly im- 
proved by including the old provision in thefinal bill prior to its introduction.^ 

We also support providing uniform legal protections across the nation. Without a 
broad uniformity provision, conflicts will arise due to the fact that it will not always 
be obvious that a specific state law does provide for "greater protections" than the 
federal law. While we believe enacting a weaker preemption provision would be an 
improvement over the status quo, we suspect that anything less than full preemp- 
tion could lead to more litigation and confusion rather than less. 

Finally, AAOFIN is actively working to ensure that any legislation that moves 
through Congress includes a provision that would clarify that the law should not 
r^uire a health care provider within an entity (e.g., a physician or nurse who pro- 
vides occupational health services) to disclose protected health information to others 
within the company or entity. This issue is often complicated and steeped in termi- 
nology that courts may find unfamiliar. Under the Bennett-J effords approach, it ap- 
pears clear that health information concerning wellness records and first aid would 
be protected but that other types of worksite records may not be covered. We urge 
you and others to include in any confidentiality legislation a provision that would 
protect employee medical records related to fitness to work as well as those records 
that document the treatment of illness or injuries or participation in wellness or em- 
ployee assistance programs. While we prefer that this important concept be included 
in actual legislative language, we want to also offer the following suggested Report 
language: 

The Committee believes that the health provider who creates, originates or main- 
tains the health information within the entity is the proper person to determine 
whether a disclosure is consistent with the limitations under subsection (d). The in- 
tent is to protect the confidentiality of an individual's medical records in the work- 
place, especially those related to an employee's fitness to work (eg., medical surveil- 
lance records, health screening, return-to-work physical examination records). 

In summary, we believe this type of language would limit the releases of impor- 
tant information to protect employee confidentiality while allowing employers to op- 
erate their worksite health programs appropriately. 

The Clinton Administration's Recommendations 

As you know, in September of 1997, Secretary of Flealth and Fluman Services 
Donna Shalala provided your Committee with a number of recommendations re- 
garding standards for privacy and protection of individually identifiable health in- 
formation. These recommendations were in fulfillment of her duties required by the 
Flealth Insurance Portability and Accountability Act (FIIPAA). While not legislation, 
these recommendations put forth thefollowing five important principles: 

• Boundaries: An individual's health care information should be used for health 
purposes and only for those purposes, subject to a few carefully defined exceptions. 
It should be easy to use information for those defined purposes, and very difficult 
to use it for other purposes. Federal health record confidentiality legislation should 
impose a legal duty of confidentiality on those who provide and pay for health care, 
and on other entities that receive health information from them; 

• Security: Organizations to which we entrust health information ought to protect 
it against deliberate or inadvertent misuse or disclosure. Federal law should require 
such security measures; 

• Consumer Control: Patients should be able to see what is in their records, get 
a copy, correct errors, and find out who else has seen them. [The Administration's] 
recommendations significantly strengthen the ability of consumers to understand 
and control what happens to their health care information: 

• Accountability: Those who misuse personal health information should be pun- 
ished, and those who are harmed by its misuse should have legal recourse. Federal 


^See, "Medical Information Confidentiality Act," Title I, Subtitle B, Section 311(a)(1). Version, 
(0:/BAI/BAI 97.721). Fall 1997. 
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law should provide new sanctions and new avenues for redress for consumers whose 
privacy rights have been violated; and 

• Public Responsibility: Individuals' claims to privacy must be balanced by their 
public responsibility to contribute to the common good, through use of their Informa- 
tion for Important, socially useful purposes, with the understanding that their Infor- 
mation will be used with respect and care and will be legally protected. Federal law 
should Identify those limited arenas In which our public responsibilities warrant au- 
thorization of access to our medical Information, and should sharply limit the uses 
and disclosure of Information In those contexts. 

AAOFIN Is convinced that personal health Information can be collected and effec- 
tively utilized In the workplace without sacrificing the employee's right to privacy 
If employers conscientiously follow Secretary Shalala's principles. Unfortunately, the 
Secretary envisions defining employer "activities that use health Information" too 
narrowly to fully protect the privacy Interests of American workers. Addressing only 
the privacy Issues raised by employers' access to traditional treatment, payment, 
wellness and first aid records still leaves employees significantly at risk because of 
the potential for employers' misuse of Information In other types of worksite records. 
AAOFIN and Its members know from experience that business can operate effec- 
tively while adhering to well-thought-out policies that guarantee the confidentiality 
of personally Identifiable health Information. Such policies provide adequate phys- 
ical, administrative and technical safeguards against nonconsensual Intra-company 
disclosures of employee data that exceed the scope of Information legitimately need- 
ed by the employer to run Its business safely and effectively. 

AAOFIN urges Congress to expand upon Secretary Shalala's recommendations and 
to enact a medical records confidentiality statute that adequately protects all em- 
ployee health Information held at the worksite not just those records mentioned by 
the Secretary. 


Conclusion 

Mr. Chairman, AAOFIN greatly appreciates this opportunity to offer our com- 
ments for the hearing record. In addition to our specific comments, we offer the fol- 
lowing five principles that we believe will be useful as Congress deliberates on this 
Important Issue: 

• First, define health Information broadly enough to Include all medical records 
obtained or maintained at the worksite for purposes other than treatment or pay- 
ment; 

• Second, require entitles that create or maintain health Information to post a no- 
tice of their confidentiality practices; 

• Third, apply the guiding principles of compatibility of purpose and minimal dis- 
closure to all personally Identifiable health Information available to an employer re- 
gardless of the reason why the employer holds or has access to the records; 

• Fourth, recognize that the health care professional who creates, originates or 
maintains the health Information at a worksite Is the appropriate person, rather 
than management, to determine whether a disclosure Is consistent with the pur- 
poses underlying the reason for the release of the Information; 

• Lastly, Include penalties for coercing or attempting to coerce Inappropriate 
record disclosures as well as penalties for actual misuse. 

These elements are essential components of any comprehensive federal medical 
records confidentiality law Intended to protect the personal health Information of 
America's workforce. We urge Congress to keep principles In mind when legislating, 
and we look forward to working with you and your colleagues as this Important 
matter moves through the legislative process. 
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statement of American Colley of Occupational and Environmental 
Medicine, Arlington Heights, Illinois 

The American College of Occupational and Environmental Medicine (ACOEM) is 
pleased to have the opportunity to submit testimony to the House Committee on 
Ways and Means, Subcommittee on Health on the issue of confidentiality of medical 
records and Secretary Shalala's recommendations for legislation. 

ACOEM, representing over 7,000 physicians, is the world's largest medical society 
committed to promoting and protecting the health, safety, productivity and well- 
being of people at work and in their environment. 

ACOEM supports the development of uniform comprehensive legislation address- 
ing the confidentiality of medical records. The College feels that such legislation 
should include provisions that encompass the treatment of employee medical infor- 
mation in the workplace. 

There is great potential for a worker to be adversely affected by the misuse of 
workplace medical records. Decisions on return to work, job placement, and pro- 
motion can be influenced by improper access to workplace medical records. Current 
federal law, such as the Americans with Disabilities Act (ADA), are inadequate in 
scope. For example, the medical record confidentiality r^uirements in the ADA go 
no further than requiring the medical record to be kept in a separate file. The ADA 
does not address who has access or when access is permitted. 

Occupational physicians and other workplace health care providers depend on the 
individual to completely and truthfully disclose private information before rendering 
a professional opinion. An employee must feel secure that the physician will treat 
their private disclosures in a dignified and confidential manner. The physician 
should disclose information received in confidence only in narrowly defined cir- 
cumstances and only when it is in the best interests of the individual. 

Employers may r^uire access to personal information when considering requests 
for job accommodations, addressing threats to health or safety, or reviewing claims 
for workers' compensation benefits. Additionally, employers shoulder an increasing 
responsibility for providing other types of benefits and obligations, such as health 
and disability insurance, family medical leave, and employee assistance programs. 
As a result, the employer becomes inextricably and unavoidably involved in employ- 
ees' personal and medical affairs. 

Thus, competing interests between a worker's desire for privacy and the employ- 
er's legitimate interest in the health of workers create sensitive ethical and legal 
dilemmas for physicians in occupational medicine. Difficult ethical problems arise 
when attempting to balance the importance of the worker's need and right to keep 
medical information confidential versus the employer's need to know. 

Occupational physicians acknowledge the importance of medical confidentiality in 
the College's Code of Ethical Conduct. The code includes the following: 

"5. keep confidential all individual medical information. Releasing such informa- 
tion only when required by law or overriding public health considerations, or to 
other physicians according to accepted medical practice, or to others at the request 
of the individual": and 

"6. recognize that employers may be entitled to counsel about an individual's med- 
ical work fitness, but not to diagnosis or specific details, except in compliance with 
laws and regulations." 

ACOEM recognizes its Code of Ethical Conduct to be the standard of conduct ex- 
pected from those providing occupational medical services. However, the College be- 
lieves that additional guidance by legislation is necessary to protect the worker's ex- 
pectation for confidentiality and to give the physician's ethical responsibility the 
force of law. 

Secretary Shalala's recommendations for workplace protections are too narrowly 
crafted. The Secretary recommends that employers not be "controlled by the legisla- 
tion," but be considered health care providers or payers when they actually perform 
those activities and "be obliged to conduct themselves accordingly." 

The College recommends that comprehensive federal legislation reflect the follow- 
ing principals: 

1. Physicians should disclose their professional opinion to both the employer and 
the worker when the worker has undergone a medical assessment for fitness to per- 
form a specific job; however, the physician should not be required to give the em- 
ployer specific details or diagnoses unless the worker has authorized the disclosure. 
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2. Supervisors and managers may be informed by the physician regarding nec- 
essary restrictions on the work or duties of the empioyee and recommended accom- 
modations. However, the physician shouid not provide, or be coerced to provide, the 
medicai information on which the restriction or accommodation is based. 

3. Physicians shouid recognize a consent for disciosure oniy if the consent is in- 
formed and is made without duress. 

4. Physicians shouid be a source of professionai, unbiased, and expert opinion in 
the workers' compensation or court systems, and shouid oniy disciose medicai infor- 
mation that is relevant and necessary to the claim or suit. The decision on disclo- 
sure of relevant and necessary medical information should be solely that of the phy- 
si dan. 

5. The physician should develop a written policy for the treatment of medical 
records in their offices, clinics or workplaces. The policy should address such issues 
as where and how medical records are stored; the security of medical records, in- 
cluding medical databases; what happens in the event of employee resignation, lay- 
off, termination, job transfer, or plant closure; and the mechanisms of employee ac- 
cess and consent for disclosure. 

6. Although workplace medical records may be considered the property of the em- 
ployer, this ownership does not abrogate any of the principles of confidentiality. 
However, the custodian of the record should always be the physician or responsible 
health care provider and access to the record should be controlled by the custodian. 
The medical record captures the confidentiality of communications within the pa- 
tient-physician relationship. For the physician to provide the best and most appro- 
priate medical care, a worker must feel that they can disclose to their physicians 
personal facts and information that they may not want others to know. Access by 
corporate officials, eg., employee relations, in-house legal departments, and other 
functions, should proceed via the physician and in accordance with procedures for 
disclosure. 

ACOEM urges the Congress to enact comprehensive federal medical records con- 
fidentiality legislation that encompasses protection of an individual's personally- 
identifiable medical information in all settings, including the workplace. 

Washington Contact: Pat O'Connor (202-223-6222) 


Statement of American Hospital Association 

The American Hospital Association (AHA) represents the nation's 5,000 hospitals, 
health care systems, networks and other providers of care. We appreciate this op- 
portunity to present our views on an issue of great importance to our members and 
the patients we serve: protecting the confidentiality of private health care informa- 
tion. 

As health care providers, AHA members are deeply involved in both the use of 
private health information, and in ensuring that the information remains confiden- 
tial. Our comments reflect our members' experiences and needs in balancing these 
two important issues. 

Protecting the Trust Between Providers and Patients 

Every day, thousands of Americans walk through the doors of America's hospitals. 
Each and every one of them provides care givers information of the most intimate 
nature. They provide this information under the assumption that it will remain con- 
fidential. It is critical that this trust be maintained. Otherwise, patients may be less 
forthcoming with information about their conditions and needs— information that is 
essential for physicians and other care givers to know in order to keep people well, 
ease pain, and treat and cure illness. 

If care givers were not able to obtain and share patients' medical histories, test 
results, physician observations, and other important information, patients would not 
receive the most appropriate, high-quality care possible. 

Our members consider themselves guardians of this information, which is why 
AHA has long supported the passage of strong federal legislation to establish uni- 
form national standards for all who use health information. We were pleased that 
the Health Insurance Portability and Accountability Act (HIPAA) of 1996 pushed 
this issue to the forefront by requiring the Secretary of Health and Human Services 
to issue recommendations to Congress on this important topic. We commend Con- 
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gress and this committee for taking up the difficuit task of baiancing the needs in 
this area. 

It's an issue that affects each of us personally. We live in a time of rapidly ad- 
vancing technological improvement, when the world seems to get smaller as comput- 
ers get more powerful and databases get bigger. This technological change can be 
positive— it has led to significant improvements for both health care providers and 
their patients— but it worries people who are justifiably concerned about how infor- 
mation about them will be used. 

I n health care, we must take the steps necessary to protect that information from 
those who would misuse it. We need strong, uniform federal legislation to do it. 

AHA Goals For Legislation 

First and foremost, because we as hospitals and health systems put our patients 
first, we must restore people's trust in the privacy and confidentiality of their per- 
sonal health information. Federal legislation can do this by establishing a uniform 
national standard for the protection of health information— including genetic infor- 
mation— a standard that balances patient privacy with the need for information to 
flow freely among health care providers. TheAHA believes that federal confidential- 
ity legislation must meet thefollowing goals: 

Allow patients and enrol lees access to their medical information, including the oppor- 
tunity, if practical, to inspect, copy, and, where appropriate, add to the medical 
record. 

Patients have a right to know what information is in their records. This level of 
accountability encourages accuracy and has the added benefit of encouraging patient 
involvement in their care. It is not appropriate for patients or enrollees to request 
deletions from their records even if the information is incorrect. Medical or claims 
decisions may have been made based on that erroneous information and it should 
be left in the record to ensure accura^ for future users. Any amendments or correc- 
tions should be added to the original information. 

Preempt state laws that relate to health care confidentiality and privacy rights, with 
the exception of some public health laws. 

Health care today is delivered through providers that are linked across delivery 
settings, and through organizations that cross state boundaries. AHA believes that 
the best way to set important standards for confidentiality of health information is 
to do so uniformly— through a strong federal law. This law must be both a floor and 
a ceiling, preempting all state laws with which it may conflict, weaker or stronger. 
Only through such a uniform law can patients' confidential information be equally 
protected regardless of the state in which they live or travel. 

Be broad in its application, covering all who generate stor^ transmit or use individ- 
ually identifiable health information, including but not limited to providers, payers, 
vendors, and employers. 

Patient confidentiality cannot be ensured unless standards are applied to all who 
may have access to health information. Legislation should cover all types of individ- 
ually identifiable health information, including sensitive issues such as substance 
abuse, mental health, and genetic information. 

Because of our strong belief in this concept, the AHA has been very concerned 
about model privacy emulation that is being developed at the National Association 
of Insurance Commissioners (NAIC) and would apply only to insurance carriers. 
This attempt to address enrollee privacy concerns through insurers potentially ex- 
pands the ability of insurers to use individually identifiable information by expand- 
ing insurer responsibility into areas that are more appropriate for providers. The 
model holds insurers responsible for amending patient records and establishing In- 
stitutional Review Boards (IRBs) for research. It also holds insurers responsible for 
making sure that providers with whom they contract have confidentiality and secu- 
rity policies that are "substantially similar" to their own. This limited approach il- 
lustrates the problems with addressing this problem in a piecemeal manner. 

Strike an appropriate balance between patient confidentiality and the need to share 
clinical information among the many physicians, hospitals and other caregivers in- 
volved in patient care 

Care is increasingly provided by groups and systems of providers as opposed to 
individual providers. These new systems create opportunities for real improvements, 
but they rely heavily on a free flow of information among providers. Patient con- 
fidentiality is of the utmost importance. But in order to ensure that care is coordi- 
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nated and the patient's experience is as seamiess as pcesibie, information must be 
accessibie to aii providers who treat the patient. 

To ensure this smooth coordination of care, the AHA supports iegisiation that re- 
quires a heaith pian to obtain from its enroiiees authorization for the entire range 
of treatment activities that couid be needed. Providers shouid stiii be aiiowed to ask 
for other authorizations— for exampie, if a patient is to receive sensitive tests or pro- 
cedures that might require the provider to consuit with others during a course of 
treatment. But, because it is impossibie to know in advance aii the different practi- 
tioners who might be invoived in a singie heaith care case, muitipie ievels of author- 
ization wouid create unscaiabie barriers to the smooth coordination of care. 

Another important issue is how to make sure providers have aii the information 
they need to treat the patient. Some proposais aiiow patients to decide which pro- 
viders can and cannot have access to their records, and what information the pro- 
vider can and cannot see. Whiie we understand the concerns of patients who want 
to iimit the amount of information in their records that is made avaiiabie to provid- 
ers or payers, we beiieve strongiy that decisions about what information is nec- 
essary must be made by trained heaith personnel. At the same time, however, infor- 
mation that is requested by a provider or payer must be clearly related to the pur- 
pose for which it is disclosed. 

Recognize that a hierarchy of need exists among users of health information. 

While access to individually identifiable information is essential for patient care, 
it may also be necessary for provider and health care system efforts to measure and 
improve the quality of care they deliver. 

To limit its potential misuse, all within the health system should restrict the 
availability of individually identifiable information. Technology is available to do 
this, through encryption, audit trails, and password protection, for example. Another 
method for restricting the availability of individually identifiable information is to 
aggregate information whenever possible. Patients should be assured that unique, 
identifiable information about them is available for their treatment, but that its 
availability for other uses is tightly controlled. 

Specific guidelines should be established to control the disclosure of individually 
identifiable information to various categories of users, including law enforcement of- 
ficials, researchers, and employers. 

Regarding law enforcement, the AHA believes that leaving in place current state 
laws— as recommended by the secretary of HHS— would set a dangerous precedent. 
Inconsistencies in these laws could allow local law enforcement agencies unre- 
stricted access to confidential patient records, and free rein to re-disclose the infor- 
mation contained in them. Federal safeguards need to be put in place that ensure 
patient information is provided only when truly necessary— and that its subsequent 
use is tightly controlled. Such decisions should be left to a neutral magistrate, from 
whom law enforcement agents must request a warrant or subpoena to obtain indi- 
vidually identifiable patient information. 

In the area of research, it is critical that legislative proposals distinguish be- 
tween— on the one hand— human subject research under an IRB and non- 
intervention medical records research involving no contact with patients, and— on 
the other hand— the internal operations that a hospital or health system undertakes 
to improve care. For example, many institutions use individual medical records to 
track outcomes and conduct case and disease management. Confidentiality legisla- 
tion should recognize that these activities are not research, but activities integral 
to the basic function of a hospital or health system— continually striving to improve 
the health care they deliver. 

When individually identifiable information is used by employers, two things are 
critical: the employer must have access only to information needed for the functions 
it may perform as an ERISA health plan— treatment, payment or administration: 
and this private information must be available only to those who administer the 
health plan. 

I nclude sufficient civil and criminal penalties to dder inappropriate disclosure of in- 
dividually iden ti fi able in forma ti on . 

The level of these sanctions should vary according to the severity of the violation. 
At the same time, any penalty imposed must take into account good-faith efforts by 
providers who establish data safeguards, educate employees about complying with 
the safeguards, and attempt to maintain secure record-keeping systems. 
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Conclusion 

The smooth exchange of patient information is criticai to providers and patients 
aiike as our nation's heaith system rapidiy becomes more integrated. We need fed- 
erai iegisiation to protect this sensitive information from being misused. The AHA 
iooks forward to working with you to deveiop iegisiation that, by adhering to the 
goals stated above, protects patient confidentiality, does not get in the way of high- 
quality health care delivery, and is truly a uniform national standard. 


Statement of Healthcare Leadership Council 

The Healthcare Leadership Council (HLC) a trade association representing all 
sectors of the health care industry, including pharmaceutical companies, hospitals, 
managed care, providers and device manufacturers, submits the following statement 
regarding patient confidentiality for the record created in response to the March 24 
hearing held by the House Committee on Ways and Means, Health Subcommittee. 
The HLC members are the innovators in the health care industry, and share a com- 
mitment to a consumer-focused health care system and a dedication to providing 
high quality health care services to every patient. Information is the cornerstone of 
innovation and quality. It serves as the basis for the knowledge we need to serve, 
treat, counsel, prescribe therapies, and reimburse patients, and to discover how all 
of these activities can be done better and more effectively. Without efficient access 
to information, the evolving health care delivery system will come to a grinding halt, 
and consumers will be denied the real-world benefits of all that the health care in- 
dustry has to offer today and well into the future. 

The HLC supports the passage of federal confidentiality legislation, while assur- 
ing the appropriate information sharing needed by network-based health plans, re- 
searchers and purchasers to provide high quality affordable care for consumers. We 
applaud the recent Ways and Means Health Subcommittee hearing. The issues dis- 
cussed will help build a strong foundation for the upcoming debate Congress will 
have on this most important issue. We appreciate the inclusion of our statement in 
the record. 

For more than two years, the HLC has been engaging in an earnest effort to work 
with its members and others in the industry to craft workable and meaningful con- 
fidentiality protections that provide important confidentiality assurances to the pa- 
tient while at the same time allowing health plans, providers and health product 
manufacturers to use patient health information for purposes that are necessary 
and appropriate to the provision of high quality health care services. 

I n searching for a workable federal legislative solution, the HLC has identified the 
following principles as necessary to striking the right balance between the patient 
and the information needs of the health care industry. These basic principles are 
as follows: 

(1) Support for federal standards regarding the confidentiality of all patient health 
information: (2) Application of standards only to identifiable health information, 
leaving non-identifiable health information (i.e, coded and encrypted data) available 
for use in research and for other health-related purposes; (3) Treatment of all identi- 
fiable patient health information, including genetic information, the same way to as- 
sure the same strong confidentiality protections: (4) Facilitation of appropriate uses 
and sharing of patient health information with recognition that access to informa- 
tion is not harmful, but rather helpful to the patient; and (5) Provision for strong 
and thorough preemption of state law. 

1. Federal standards. Federal standards ensuring the confidentiality of patient 
health information are critical to guaranteeing the uniform, consistent treatment of 
such information throughout the country. In 1996, the Health Insurance Portability 
and Accountability Act (HIPAA) took important steps in the right direction by re- 
quiring that a standardized information transmission and storage system be devel- 
oped, and that such systems be kept secure. In addition, HIPAA mandates that Con- 
gress enact federal confidentiality standards by August of 1999. Failure to do so will 
trigger Secretarial authority to promulgate regulations guaranteeing such protec- 
tions within six months. 

The time has come for a uniform federal standard. The HLC supports federal 
standards regarding disclosure and use of an individual's identifiable health infor- 
mation, for safeguarding the confidentiality of that information, and for establishing 
an individual's rights to inspect and copy his or her records. A uniform standard 
is the only way to avoid a dual-regulatory environment. State authority should re- 
main paramount over areas of confidentiality that do not conflict with national uni- 
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formity and consistency, such as state reporting requirements for pubiic heaith and 
safety dangers and iicensure of providers. 

2. Treat aii identifiabie heaith information in the same manner. The HLC sup- 
ports extending strong and consistent confidentiaiity protections to aii personaiiy 
identifiabie patient heaith information. As such, the HLC is concerned about recent 
proposais, such as that introduced by Rep. Siaughter (D-NY) (H.R. 306), to treat 
genetic information separateiy from other patient heaith information. As a practicai 
matter, it wouid be difficuit if not i mpossi bi e for heaith pians and providers to treat 
and secure genetic information differentiy than other patient heaith information as 
aimost aii heaith information contains an important genetic component. How then 
can we eievate certain types of heaith information to a higher status more deserving 
of protection than other information? Aii personaiiy identifiabie patient heaith infor- 
mation shouid receive the same strong protections against inappropriate disciosure. 

3. Scope of federai standards shouid appiy to individuaiiy identifiabie information 
oniy. In its effort to craft federai confidentiaiity standards. Congress shouid appiy 
these protections to individuaiiy identifiabie heaith information oniy where there is 
a iegitimate need for confidentiaiity. The current trend is toward anonymizing infor- 
mation— that is, rendering the information avaiiabie but ieaving the identity of the 
subject individuai unknown— and a more narrow focus on individuaiiy identifiabie 
heaith information wouid provide an important incentive to encrypt, encode and oth- 
erwise anonymize patient heaith information wherever possibie. 

The HLC strongiy beiieves that any federai confidentiaiity standards shouid pro- 
vide incentives for heaith pians, providers, purchasers and other product manufac- 
turers to continue using non-identifiable heaith data to make advancements, cure 
diseases and study the effects of new treatments. Aiiowing the use of anonymized 
heaith data directiy fadiitates heaith research and iimiting its use wouid stifiethe 
phenomenai medicai advances being made aimost daiiy in this country. To further 
ensure the confidentiaiity of patient heaith information, however, the HLC strongiy 
supports subjecting any "encryption key" or other such code used to anonymize in- 
formation to the same strong protections provider for other protected, identifiabie 
heaith information. 

4. Provide for appropriate heaith information sharing with confidentiaiity protec- 
tions. Any federai confidentiaiity standards adopted by Congress must adequateiy 
and effectiveiy recognize that most heaith care services are delivered through some 
form of integrated delivery system. This modern heaith care system, which is 
marked by a team-approach to heaith care delivery, relies heaviiy on information 
sharing and coiiaboration to ensure high quaiity services are provided to the pa- 
tient. As a resuit, it is crudai that strong patient confidentiaiity protections aiiow 
and fadiitate appropriate information sharing to further this goai. Foliowing are 
several key points explaining the HLC's perspective: 

• An integrated health care delivery system requires more information sharing. 
Only in focusing on what are and are not appropriate "uses" of patient health infor- 
mation can we develop confidentiality protections that effectively distinguish be- 
tween what is helpful and harmful to the patient and to consumers generally. Our 
health care delivery system is no longer one defined by discrete encounters with a 
number of different and unrelated physicians and providers. Rather, the current de- 
livery system is distinguished by a growing number of innovative arrangements be- 
tween and among physicians, health plans, employers, hospitals and researchers. 
We now have teams of professionals responsible for coordinating the health care 
services provided to patients. These teams involve multiple individuals, including 
physicians, nurses, lab technicians, pharmaceutical manufacturers and others. To- 
gether, these varied participants are working in the interest of the patient. 

As a result of these important improvements in the health care delivery system, 
the HLC supports establishing strong confidentiality protections consistent with the 
direction of our delivery system. Specifically, the HLC supports allowing the use of 
patient information for purposes of providing treatment, securing payment, conduct- 
ing health care research and undertaking quality assurance activities. These activi- 
ties are all designed to benefit the consumer. 

Medical records research is vital to maintaining and improving the health of the 
American public. In fact, virtually every health hazard that we know of today has 
been identified using information from medical records. Take AIDS, for example. If 
researchers had not been allowed to study the medical records of patients with un- 
usual immune deficiency problems in the late 1970’s, the characterization of the 
AIDS epidemic would have been delayed at substantial cost to the public's health. 
Other examples include studies examining the benefits and risks of estrogen treat- 
ment, the health risks of: smoking, dietary fats, obesity, and certain occupations: in- 
fectious disease studies which led to the development of vaccines for polio, measles 
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and other infectious diseases; and studies which show the effect of breast cancer 
screening programs. 

Another exampie is the outbreak of "fiesh eating strep" identified at the Mayo 
Ciinic in 1996. Without access to the medicai records of patients with these unusuai 
infections, characterization of this syndrome and isoiation of this deadiy bacteriai 
strain wouid have been deiayed. And over a hundred schooi chiidren— which the 
Mayo research showed were the unwitting carriers of this deadiy germ in their 
throats— wouid have gone untreated. Every medicai advance mentioned here has re- 
iied heaviiy on information from patients' medicai records. Without access to this 
rich source of dinicai information, many of these advances simpiy wouid not have 
occurred. 

• You can't expect a surgeon to operate biind. Legisiation must emphasize con- 
fidentiaiity and provide strong disincentives for abuses of information: however, the 
HLC is concerned over recent proposais that wouid appear to piace the patient in 
a position of having uitimate veto power over access to information. To put patients, 
who by and iarge rely on lay knowledge, in a position of deciding whether to grant 
access of information to some and not to others ultimately puts them at risk. Again, 
federal standards should focus on the appropriateness of information disclosure and 
its use. 

• The move toward electronic transmission of information brings forth tremen- 
dous benefits for the patient, but also creates fears. The Health Insurance Port- 
ability and Accountability Act (HIPAA) will result in numerous standards regarding 
the security of electronically transmitted information. The concept of a unified medi- 
cal record is revolutionary in the benefits that will inure to patients. There will be 
fewer adverse drug reactions, fewer mistakes made and fewer unintended con- 
sequences. Electronic data storage presents a greater opportunity to secure informa- 
tion than in the current system of open file cabinets, etc. At the same time, any- 
thing new and unfamiliar can cause tr^idation. It is the fear of the unknown. Yet 
a unified medical record stored electronically actually can keep information more se- 
cure than paper copies in files, as mentioned before. Computer records can be safe- 
guarded through encryption, password access and other similar technologies. 

• The HLC is concerned over efforts to use the confidentiality debate to advance 
other agendas, such as anti-managed care and insurance product pricing issues. The 
HLC grows increasingly concerned that the debate over how to keep patient health 
information confidential in the current health care delivery environment is becom- 
ing a vehicle for debate regarding the delivery system as a whole. Again, the HLC 
advocates responsible and appropriate information sharing and use. However, any 
debate desi red about such practices as medical underwriting, utilization review/utili- 
zation management and other quality assurance techniques should be held sepa- 
rately and should be dealt with on the basis of their merits. The HLC caution's Con- 
gress against effectively putting an end to such practices through the guise of pro- 
tecting the confidentiality of patient information. 

• Confidentiality protections are already in place. Health plans and providers 
submit to voluntary accreditation, which includes evidence of strong confidentiality 
protections. For example, the National Committee for Quality Assurance (NCQA) 
and the Joint Commission on Accreditation of Healthcare Organizations (JCAHO) 
are two accrediting bodies which require health plans and hospitals to have written 
confidentiality policies and procedures in place, to take action at patient care sites 
to guard against unauthorized or inadvertent disclosure of confidential information, 
and to obtain patient consent for information release. In addition, the Federal Pri- 
vacy Act imposes numerous confidentiality requirements on health plans and pro- 
viders participating in the Medicare program. Similarly, the Institutional Review 
Board (IRB) process involving clinical research holds pharmaceutical manufacturers, 
device manufacturers and other researchers to stringent confidentiality standards. 

5. Strong federal preemption of state law. The HLC strongly supports effective 
federal confidentiality protections for consumers as long as the standards include 
strong and thorough preemption of state law in those areas in which the federal 
government has legislated. Without adequate preemption, providers, health plans, 
purchasers and manufacturers would essentially be subject to 52 different confiden- 
tiality laws, which is unworkable and leaves consumers vulnerable under a patch- 
work of protections. 


Conclusion 

With these important HLC principles in mind, we are concerned that current leg- 
islative proposals fail to recognize that most health care services today are delivered 
in some integrated delivery context. Any legislative restrictions limiting access to 
medical records threaten our ability to engage in quality-enhancing activities as well 
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as the very existence of entire categories of medicai research. In addition, we are 
concerned about proposais that woufd require that we obtain patient authorization 
each time patient information is used. This couid resuit in a patient's abiiity to re- 
voke authorization to use information to provide essentiai services, as weii as under- 
mine research. This is because individuais who deny consent are systematicaiiy dif- 
ferent in important ways from individuais who do consent. For exampie, individuais 
who deny consent may have had worse outcomes or they may be iess satisfied with 
their care. 

Studies describing the outcomes of diseases or the effectiveness or cost-effective- 
ness of treatments which exciude such individuais wouid be biased— they give us 
the wrong answer. Moreover, whiie research is dear on the point that individuais 
who deny consent are systematicaiiy different from those who consent, the direction 
and magnitude of those differences are compieteiy unpredictabie from study to 
study. So not oniy wiii such research resuit in the wrong answers, but it wiii be 
impossibie to determine how wrong they are or in what way. Thus, the reiiabiiity 
and vaiidity of findings from such research wiii be suspect and iead to the design 
of potentiaiiy incorrect medicai treatments. The inciusion of aii quaiifying individ- 
uais is the oniy way to assure that accurate conciusions are drawn about the prog- 
nosis of disease, the outcomes of therapy or the quaiity of care. 

The underiying motivation for many of the iegisiative proposais is to ke^ per- 
sonai medicai information between the patient and his or her physician. Whiie this 
idea couid be very attractive: in our compiex heaith care environment, it is an unat- 
tainabie ideai. For exampie, in an average medicai visit the foiiowing individuais 
and groups have access to a patient's compiete medicai record: the appointment of- 
fice, the registration desk, aii physicians, physician assistants, and nurses who pro- 
vide care for the patient as weii as their receptionists and secretaries, aii iaboratory, 
EKG, and x-ray technicians who perform the necessary tests, infection controi offi- 
cers who reguiariy surv^ medicai records for reportabie diseases, continuous im- 
provement staff who strike to improve out heaith care processes, members of the 
marketing department who seek to ensure patient satisfaction, the business office 
for biiiing, the iegai department, and insurers and other third-party payers. 

With this in mind, the Fleaithcare Leadership Councii wouid iike to work with 
iawmakers in search of meaningfui and baianced federai confidentiaiity standards 
that aiiow us to achieve the promise of the information-based 21st Century heaith 
care deiivery system. The FILC iooks forward to working with you and your staff. 

Thank you for your attention and ieadership on this most important issue. 


International Society for 

Pharmacoepidemiology 
2000 L Street NW., Suite 200 

Washington, DC 20036 

March 25, 1998 


The Flonorabie Biii Archer 

Chairman, Flouse Ways and Means Committee 

Attention: Bradiey Schrieber 

Room: 1102 LHOB 

Washington, DC 20515 

RE: Written Testimony on Medicai Confidentiaiity, March 26, 1998 Flearing 

Dear Mr. Chairman: 

On behaif of the Internationai Society for Pharmacoepidemioiogy (ISPE), we are 
pieased to submit written testimony in response to the hearing r^arding the con- 
fidentiaiity of medicai records and draft iegisiation scheduied for March 26, 1998. 
Our professionai society embraces the principie of protecting the confidentiaiity of 
individuaiiy identifiabie medicai information whiie preserving justified research ac- 
cess to such information in the interest of the pubiic's heaith. 

The research conducted by members of our society and others in our fieid evaiu- 
ates popuiations to understand the extent, naturai course, and burden of diseases. 
Pharmaco^idemiology is an observationai, non-experimentai science. In contrast to 
clinical trials, which are experimental, an epidemiologic observational study ob- 
serves patients in the real world of clinical medicine, and the patient is at no medi- 
cal risk from being part of the study. It is the science of pharmacoepidemiology that 
is used to evaluate the risks and benefits of medications in large numbers of pa- 
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tients in the real world setting. Pharmacoepidemidogic studies have had a major 
impact on the public's health in general and on our understanding of the risks and 
benefits of medications in particular. For example, such studies documented the risk 
of aspirin and Reye's Syndrome in children and the risk of vaginal cancer in daugh- 
ters of women who took diethylstilbestrol (DBS) while pregnant. Pharm- 
acoepidemiologic studies will continue to be important in the future. ISPE urges 
that any new laws or changes in existing laws aimed at further protecting data pri- 
vacy be formulated with an acknowledgment of the value to society of 
pharmacoepidemidogic research. 

We are especially concerned about legislation relating to patient informed consent 
and the use of IRBs for certain observational research that uses encrypted patient 
data, and we pay special attention to the definition of "identifiable data." While the 
development of new legislation presents an opportunity to strike a fair balance be- 
tween individual privacy needs and legitimate access to information for research in 
the public's interest, there is also the opportunity to inadvertently stifle important 
research, while offering no meaningful new protections. We offer our help to you, 
your colleagues and your staff in the development of legislative answers to these im- 
portant and complex issues. 


Yours sincerely. 


J EROME L. Avorn, M.D. 

President 

Elizabeth Andrews, Ph.D. 

Chair, Ad Hoc Committee on 
Data Privacy in the US and Canada 


Enclosures 


International Society for Pharmacoepidemiology ISPE Fact Sheet 1997-98 

Membership 

More than 1300 members from 45 countries 

• Pharmaceutical I ndustry— 35.6% 

• Academic I nstitutions— 40.8% 

• Government Agencies— 11.0% 

• Clinical Practice & Consulting— 12.6% 

• North America— 50.1% 

• Europe— 36.1% 

• Asia— 8.6% 

• Other Continents— 5.2% 

• Correspondents in 19 Countries 

• National Chapters in Argentina, Belgium, Netherlands 

• Associate to Member of World Flealth Organization Council for International 
Organizations of Medical Sciences (CIOMS). 

Membership Benefits 

• Pharmacoepidemiologic Scientific Forums for Research Interchange 

• Policy Fromulation Relevant to the Professional and Research Work 

• Environments 

• Enhanced Professional Communication: 

—Forum Networking Opportunities 

—Reduced Registration for Annual International Conference on 
P harmacoepi demi ol ogy 
—Subscription to the journal 
—Reduced Subscription Price 
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Society Objectives 

Mission Statement 

The International Society for Pharmacoepidemology (ISPE) is a non-profit inter- 
national professional membership organization dedicated to promoting 
pharmacoedpidemiology, the science which applies epidemiological approaches to 
studying the use, effectiveness, value and safety of pharmaceuticals. ISPE is firmly 
committed to providing an unbiased scientific forum to the views of all parties with 
interests in drug development, drug delivery, drug use, drug costs, and drug effects. 

A. Establishment of scientific forums. 

1. Convene an annual scientific forum where members of the discipline meet each 
other, present results of methodologic investigations and studies in progress, discuss 
public health policy issues concerning pharmacoepidemiology, etc. 

2. Convene periodic symposia on scientific and public policy issues of common in- 
terest. 

3. Sponsor industry, provider, and academic caucuses to address issues of particu- 
lar interest to caucus members. 

4. Convene periodic consensus conferences. 

B. Dissemination of scholarly and practical information. 

1. Publish a newsletter highlighting emerging issues, news of the field, employ- 
ment opportunities, etc. 

2. Collect information on existing curricula and aid in developing curricula criteria 
and professional training standards. Provide information on worldwide training op- 
portunities. 

3. Sponsor/co-sponsor/co-sponsor superior quality peer-reviewed publications. 

A. Facilitation of professional communication. 

1. Establish a clearinghouse on data resources for pharmacoedpidemiologic stud- 
ies. 

2. Establish a directory of pharmacoedpidemiology consultants. 

A. Capacity building. 

1. Establish funding resources for pharmacoepidemiology training scholarships. 

2. Act as an advocate for the field in affecting health policy and the allocation of 
resources with government agencies, the pharmaceutical industry, private founda- 
tions, universities, other professional groups. 

[Additional material is being held in the Committee files.] 


Statement of Medical Group Management Association 

Mr. Chairman and Members of the Subcommittee, the Medical Group Manage- 
ment Association (MGMA) appreciates this opportunity to provide input on the gen- 
eral issue of patient confidentiality. As this issue is further developed and legisla- 
tion is crafted, MGMA will submit a more detailed analysis. 

MGMA is the oldest and largest association representing physician group prac- 
tices with more than 8,900 health care organizations nationwide in which just under 
200,000 physicians practice medicine. MGMA's membership reflects the diversity of 
physician organizational structures today, including large tax-exempt integrated de- 
livery systems, taxable multi-specialty clinics, small single specialty practices, hos- 
pital-based clinics, academic practice plans, integrated delivery systems, manage- 
ment services organizations, and physician practice management companies. 

MGMA believes that the provider-patient bond is the most important relationship 
in the health care arena. Even with the changes occurring in the marketplace, the 
trust engendered in these encounters should remain constant. Physician practices 
have a duty to patients to ensure their medical records are held in confidence and 
are disclosed only in appropriate situations. The evolution of information flow, 
health care records computerization, managed care contracting, and organizational 
restructuring require an appropriate balance for health care systems to thrive while 
simultaneously safeguarding the confidentiality of medical records. The following 
represents MGMA’s support of the highest level of medical records confidentiality 
that can be achieved without imposing onerous regulations on physician practices. 
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Applicability to Smaller Practices 

Confidentiality policy should not be predicated on new personnel intensive stat- 
utes or regulations, at a time when pressures to contain costs are forcing physician 
offices and hospitals to decrease staffing. MGMA urges Congress and the Adminis- 
tration to consider how confidentiality legislation will impact physician practices. 
There is no cookie cutter process for all physician offices, and certain provisions, 
such as those that are technology-based, would disproportionately burden small 
practices. 

Medical and Outcomes Research 

Patient confidentiality legislation and regulations should not unnecessarily inter- 
fere with legitimate medical research. MGMA believes the confidentiality of medical 
records must be balanced against the benefits of medical research and efforts to im- 
prove the quality of care. Aggregating medical data, being able to access subjects' 
profiles, and possibly contacting subjects for follow-up information are vital compo- 
nents of medical research. Institutional review boards should be permitted to waive 
informed consent requirements for the minimum amount of necessary disclosure, 
when appropriate standards have been developed and have been applied to clinical 
and quality research initiatives by institutional review boards. 

Sccpe of Statutes 

Anyone who improperly discloses confidential medical records should face civil 
and criminal penalties. MGMA urges policy makers to adopt confidentiality meas- 
ures that apply to B/eryone. Whether a health care provider improperly reveals in- 
formation to an employer, or a person finds medical records and reveals them pub- 
licly (eg., to a newspaper), an individual suffers both emotionally and financially 
when a person breaks a medical confidence. 

National Standards 

Policy makers should ensure that federal preemption is part of confidentiality leg- 
islation. Lawmakers should build in protections at the federal level to guard against 
specific types of disclosure and discrimination. This will ensure that e/ery patient 
has the security of knowing that his or her records will remain confidential, and 
will allow providers with patients residing in different states to know how confiden- 
tiality standards apply to their practices. National uniformity will give physicians 
one set of standards and will make compliance feasible. 

Notification Requirements 

Notifying third parties of incorrect information within a medical record is a 
shared responsibility. Health care providers should notify those parties they have 
previously provided with unamended information of substantial changes to a pa- 
tient's health records. In addition, if patients notify health care providers that third 
parties are in receipt of incorrect information, physicians should be responsible for 
notifying the identified party of changes which substantially alter the insurance risk 
for an individual or substantially affect the care rendered by another health care 
professional. In contrast, asking physician practices to become the hub of a notifica- 
tion cycle between contractors and others who may be in receipt of incorrect infor- 
mation imposes unwarranted regulatory burdens on physician practices. 

Identifying Improper Disclosure 

Statutes or regulations should define explicitly improper disclosure of medical 
records. Federal policy should carve out situations where disclosure is unlawful and 
attach appropriate penalties to identified improper disclosure. This contrasts with 
the assumption that all but narrowly defined disclosure is improper. MGMA be- 
lieves that lawmakers can target prohibited behaviors without significantly hinder- 
ing health care systems' operations or medical research by assuming the impropri- 
ety of information flow. As such, MGMA supports the approach taken in Represent- 
ative Chris Shays' draft legislation, which would facilitate compliance with the stat- 
ute, rather than presuming that all disclosure is improper. 

Law Enforcement 

Law enforcement access to medical records should be balanced against a patient's 
right to privacy. Much as medical records confidentiality should be balanced against 
the above factors, it should be considered in light of law enforcement needs. While 
MGMA acknowledges law enforcement's investigative needs, we believe that law en- 
forcement access to records should not be unfettered. Health care providers should 
release medical records to law enforcement officials only when police or investiga- 
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tors have obtained a court order which protects the information from further discio- 
sure. 

In dosing, we wouid iike to thank the Subcommittee for its consideration of this 
issue and of MGMA's perspective. We wiii continue to provide comments as the con- 
fidentiaiity issue develops and appreciate the opportunity to comment on this issue. 

For further information, piease contact Rayna L. Richardson, Government Affairs 
Representative, at (202) 293-3450. 


Statement of National Breast Cancer Coalition 

Thank you, Mr. Chairman and members of the Committee for your ieadership ef- 
forts to begin to address the important issues of patient protection and the advance- 
ment of medicai research inherent in the medicai privacy discussion as we move 
into a new era of research and information technoiogy. 

The Nationai Breast Cancer Coaiition (NBCC) is a grassroots advocacy organiza- 
tion dedicated to eradicating breast cancer. We are made up of 400 member organi- 
zations and hundreds of thousands of individuais. The NBCC seeks to increase the 
influence of breast cancer survivors and other activists over research, dinicai triais, 
and pubiic poiicy and to ensure access to quaiity heaith care for aii women. 

It is criticai that as the nation begins to address issues of medicai privacy, we 
aiso address issues of genetic discrimination. The NBCC strongiy beiieves federai 
iegisiation is needed to estabiish a nationai poiicy which ensures confidentiaiity; 
protects individuais from genetic discrimination: controis the use of heaith informa- 
tion coiiected by heaith care payers and providers; requires authorization for the use 
of an individuai's heaith information for other purposes; and does not impede the 
progress of biomedicai, behaviorai, epidemioiogicai and heaith services research. We 
believe medicai research shouid be encouraged and pursued— but in a way that pro- 
tects the rights of individuais and enhances pubiic trust in medicai research. We 
want to work together with policy makers and the scientific community to strike the 
appropriate baiance between the protection of individuai privacy rights and the pur- 
suit of biomedicai research. 

The NBCC believes individuai privai^ rights are fundamentai to being a citizen 
in this country. As breast cancer survivors, we beiieve that our iiiness, diagnosis, 
treatment and prognosis is very personai and intimate information. It is paramount 
to NBCC, that individuais have the right to decide to whom and under what cir- 
cumstances their protected heaith information, inciuding genetic information, wiii 
be disci osed and the right to inspect and copy their own medicai records. 

In addition, the NBCC beiieves medicai privacy and discrimination around genetic 
testing are related issues which must be addressed simuitaneousiy. Genetic dis- 
crimination issues drive many of the underiying medicai privacy concerns, so to try 
to reguiate medicai privacy without confronting issues of genetic discrimination is 
iudicrous. For exampie, to ensure protection against genetic discrimination, individ- 
uais shouid be abie to segregate certain private information to be fiied separateiy 
so it wiii not be distributed to heaith care payers with the rest of the patient's chart. 
Breast cancer patients shouid be abie to request that genetic information such as 
BRCA 1 and BRCA 2 test resuits are not sent to insurers or others, but are sent 
to the radiologist to ensure the resuits of a mammogram are read accordingiy. 

The misuse of medicai information must stop. We do not want to wake up iike 
we did eariier this year to front-page newspaper stories about major pharmacies 
seiiing medicai records to marketing firms without authorization. Nor shouid we be 
fearfui of taiking frankiy with our physicians about our medicai conditions because 
the information may end up in the wrong hands or cost us our heaith insurance 
or jobs. The increasing compiexity of the current information age demands a pubiic 
soiution to protect our rights to privacy. Federai iegisiation must be enacted which 
wiii safeguard our privacy, prohibit the unauthorized disciosure of protected heaith 
information (except under very iimited exceptions) and protect an individuai's per- 
sonaiiy identified heaith information from misuse. 

We need protection against the improper use and unauthorized disciosure of ge- 
netic information. Everyone cheered the discovery of the breast cancer genes, BRCA 
1 and BRCA 2, but if we are ever going to have the knowiedge for this discovery 
to make a difference in eradicating breast cancer we must iimit disciosure of genetic 
information and outiaw genetic discrimination in heaith insurance and the work- 
piace. Such disciosure can cause significant harm to individuais, inciuding stig- 
matization and discrimination by heaith insurers and empioyers. At the very ieast, 
the NBCC believes that an entity shouid be prohibited from disciosing genetic infor- 
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mation without the prior written authorization of the individuai. We aiso believe 
legislation should include prohibitions against discrimination by employers, making 
it unlawful to refuse to hire, to discharge, or to deprive individuals of employment 
opportunities based on genetic information, including an individual's truest for ge- 
netic services. It should also extend such protections against genetic discrimination 
to health insurance and prohibit health plans from denying, canceling, refusing to 
renew, or changing the terms, premiums or conditions based on genetic information. 

In addition, federal legislation must limit authorization for disclosure of protected 
health information only to what is necessary for the provision of treatment and pay- 
ment services. The ability of insurance companies to share medical information 
throughout its other divisions is a direct threat to the privacy and protection of med- 
ical records. Most insurance companies are complex financial institutions. Without 
protection, the same company that pays for health care would be able to share medi- 
cal information across divisions, such as life insurance, financial planning, disabil- 
ity, etc. We believe there should be strong criminal and civil penalties for inten- 
tionally or negligently using individually identifiable health information and indi- 
viduals should have a civil right of action against anyone who misuses their pro- 
tected health information. 

A critical piece to protecting medical information is informed consent. But in- 
formed consent today affords little, if any, protection. These documents are rarely 
read because of their length and legal terminology. As patients seeking medical 
care, we have to sign blanket waivers allowing disclosure of our medical information 
in order to obtain treatment or payment for care. These authorizations do not pro- 
tect us as they should from unnecessary disclosure because we have no idea how 
the information will be used. Women sign these documents because they think their 
signature is necessary to receive vital health care. The NBCC believes that any au- 
thorization should be limited to treatment services and payment purposes and that 
the definition of information that can be provided be construed as narrowly as pos- 
sible. A legal obligation of confidentiality should be imposed on those who provide 
and pay for health care, as well as on the entities that receive that health informa- 
tion. 

Securing medical privacy rights, however, should not come at the expense of medi- 
cal research. Despite our best efforts and your leadership, breast cancer is still the 
most common form of cancer in women. We still do not know the cause or have a 
cure for this dreaded disease. Over the past few years, there have been incredible 
discoveries at a very rapid rate that offer fascinating insights into the biology of 
breast cancer, such as the isolation of breast cancer susceptibility genes and discov- 
eries about the basic mechanisms of cancer cells. These discoveries have brought 
into sharp focus some of the areas of research that hold promise. 

The NBCC believes that legislation protecting medical information and privacy 
should be balanced. We want to see federal standards that safeguard personal 
health information while protecting the ability of researchers to conduct vital bio- 
medical research. We don't believe that you can have one without the other. Knowl- 
edge about how to prevent and cure breast cancer will only come if women partici- 
pate in research. But without appropriate safeguards against misuse, public distrust 
will increase and few women will be willing to participate in research efforts, wheth- 
er donating tissue or enrolling in clinical trials. Women will have the confidence to 
participate in clinical trials only if they believe that their individual health informa- 
tion will be kept private so that it can't be used against them by insurers or employ- 
ers. In addition, without a guarantee of privacy, women are less likely to be honest 
with their doctors, endangering their own health and slowing the overall progress 
of improved health care for the general population. It can't be emphasized enough 
that we must focus our attention on building public trust. There has to be real, be- 
lievable protection if women are to place their trust in the medical and research 
process. 

The NBCC would like to see the common rule protections extended beyond re- 
search funded by the National Institutes of Health. The NBCC believes these pro- 
tections should be the same for all medical research whether publicly or privately 
funded. Much benefit to research could be obtained by giving research special pri- 
vacy considerations. It may make it easier to distinguish research access from clini- 
cal chart access. 

The NBCC believes that ideally there should be one federal statue that effectively 
guarantees privacy rights, but given the reality, we think it is advisable that federal 
legislation be seen as the floor; and that states should be able to pass laws that 
allow more stringent safeguards that do not, at the same time, inhibit medical re- 
search from going forward. 

Mr. Chairman, and members of the Committee, thank you again for your leader- 
ship on this important issue. We look forward to working with you to restore public 
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confidence and trust in our medicai system, and to achieve the necessary baiance 
between individuai privacy and the promise of medicai research. 


Statement of National Pressure Ulcer Advisory Panel, Alexandria, Virginia, 

Rita Frantz 

I . I NTRODUCTION 

My name is Rita Frantz and I am the current President of the Nationai Pressure 
Dicer Advisory Panel. I am also a Professor at the College of Nursing at the Univer- 
sity of Iowa. I am submitting this testimony on behalf of the National Pressure 
Ulcer Advisory Panel (NPUAP). The NPUAP appreciates the opportunity to provide 
written comments for the record regarding patient confidentiality. 

The NPUAP is an independent, not-for-profit organization dedicated to the pre- 
vention and management of pressure ulcers. Formed in 1987, the NPUAP is com- 
prised of fifteen leading authorities, representing various disciplines, including med- 
icine, nursing, research, physical therapy and education— all of whom share a com- 
mitment to the prevention and management of pressure ulcers. The NPUAP serves 
as a resource to health care professionals and, while not a membership organization, 
welcomes and encourages the participation of those interested in the pressure ulcer 
issues through utilization of NPUAP educational materials, participation at national 
conferences, and support of NPUAP efforts in education, public policy and research. 

Our organization was instrumental in developing the medical criteria and utiliza- 
tion parameters adopted by the Durable Medical Equipment Regional Carriers. 
Moreover, our panel members developed a definition and staging system for pres- 
sure ulcers. The Agency for Flealth Care Policy and Research used these guidelines 
when they developed their publication, "Pressure Ulcers in Adults: Prediction and 
Prevention." 

The goal of the NPUAP is to assist health care professionals in reducing the inci- 
dence of pressure ulcers by 50%. In order to achieve this goal, our panel members, 
independent of the NPUAP, conduct extensive clinical trials and research. The im- 
pending patient confidentiality issue greatly impacts the clinical trials and research 
of our members. The NPUAP supports respecting and preserving patient confiden- 
tiality. There is a need for enforcing privacy in medical records. Any privacy initia- 
tives, however, should not be so restrictive as to hamper quality assurance, vital 
health care research and education. 

Specifically, NPUAP is concerned that while protecting a patient's rights to pri- 
vacy, Congress's actions may inadvertently harm the interests of patients by unnec- 
essarily restricting access to information needed by researchers and clinicians to (1) 
determine the safety and effectiveness of medical treatments, (2) assess the useful- 
ness of diagnostic tests, (3) identify disease risk factors, (4) monitor the cost effec- 
tiveness of new interventions, (5) educate those entering the medical profession, and 
(6) ensure quality assuranc^improvements. Such information is necessary to con- 
tinue providing the public with health care. 

1 1 . Authorization 

The first issue of concern for the NPUAP regards proposed language that requires 
authorization every time a patient's record is accessed. The NPUAP agrees that pa- 
tient authorization is necessary. We believe that a patient's authorization should be 
required in order to use a patient's medical record for a clinical or chart review 
study before beginning to conduct the study. Flowever, we believe that only one au- 
thorization is necessary per study. If the focus of the study changes a new author- 
ization should be sought. Requiring authorization every time the patient's record is 
accessed will greatly impact quality assurance, research and development and clini- 
cal trials as discussed in more detail below. 

Quality Assurance 

Quality assurance is required by J CAFIO in every care setting that it accredits. 
Some state health departments or licensing agencies also require quality assurance 
activities in all nursing homes and home health agencies. Quality assurance is a 
standard of care. Most quality assurance activities involve chart review or collecting 
clinical information to improve the quality or delivery of care. Requiring patient au- 
thorization for every quality assurance activity would dramatically affect quality as- 
surance efforts due to substantial burdens on time and labor. Furthermore, restrict- 
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ing data as inputs to quantitative studies minimizes the statisticai significance of 
the resuiting conciusions. 

Quaiity improvement review of a patient's record requiring authorization wouid 
exciude many patients who are demented or confused and who do not have a iegai 
guardian. These are the very patients for whom this kind of research is important. 
If we are unabie to coiiect data on them because of the iack of a iegaiiy appointed 
guardian, a iarge number of patients wiii be omitted from studies. 

Chart review studies within fadiities designed to monitor quaiity of care, track 
outcomes, provide data to develop critical pathways or improve care are not truly 
"Institutional Review Board (IRB) reviewed studies." They also do not fit into the 
category of "treatment or payment" as defined in the draft legislative proposals or 
in the Secretary's recommendations. This access to medical records is an important 
quality improvement mechanism. Currently, there is no authorization requirement 
if the chart review is for quality assurance purposes. There should not be additional 
safeguards placed on facilities monitoring quality assurance or improvement. The 
NPUAP believes that quality assurance monitoring or studies should be excluded 
from any new or additional requirements. 

If the study is an IRB reviewed study, upon obtaining informed consent, the IRB 
must approve the chart review process. Technically, this requires re-review for any 
new survey questions or tests that may be added on as an after thought. If the data 
gathered is from a previous chart review and it will be used for new or different 
analysis compared to the original study's intent, a new consent is required. For ex- 
ample, if a chart is reviewed to determine risk factors for pressure ulcers and later 
decide to re-analyze the same data and publish a paper on socio-economics, a new 
consent is required. The NPUAP supports the current IRB system and would like 
to see it maintained. IRB review is specifically designed to protect the rights of sub- 
jects, including the right of confidentiality. 

Research and Clinical Trials 

Innovations in medicine and medical technology continually revolutionize health 
care research. Continued progress depends on research and clinical trials. Fre- 
quently, the clinical trials and research involve collaboration with providers to study 
the safety of products utilized in clinical practice for treatment and prevention of 
pressure ulcers. In addition, results of research studies help design new clinical 
trials and monitor how well treatments work in clinical practice. 

There is a requirement to obtain authorization for human subjects prior to enroll- 
ing them in a research study. All institutions that receive some type of federal fund- 
ing must provide for review of research involving human subjects and must ensure 
that investigators obtain consent from subjects used in their research. 

Chart review studies are a rich source for research. Many of the studies that the 
Agency for Flealth Care Policy and Research (AFICPR) panel used in the develop- 
ment of the "Guideline for Pressure Ulcer Treatment and Prevention" were either 
chart review studies or clinical trials that were built on information gained with 
pilot chart review studies. For example, much of what we know about risk factors 
for pressure ulcer development is based on chart review studies. Chart review stud- 
ies are currently approved by IRB's without individual patient authorization pro- 
vided confidentiality is maintained and there are no individual patient identifiers 
in the results. 

In general the IRBs do a good job of reviewing each proposal on its own merits 
and helping to design a process that protects subjects confidentiality and safety, 
while trying to facilitate rather then block research. Each proposal is reviewed 
based on the overall risk to patients and the true need for the information. There- 
fore, in a clinical trial the patient expressly consents to the researcher's use of their 
medical information. As a result, the NPUAP does not believe that there is any need 
to require any further saf^uards in this area. IRB monitored chart review research 
should continue without individual patient authorization. ..given the protective re- 
strictions that currently apply. 


III. Encoding 

The second topic NPUAP would like to address is the encoding issue. NPUAP be- 
lieves that if patient identifiable information is used in research or clinical studies, 
it should be encoded: replacing identifying information by a code. The identity of the 
patient is not apparent from the information itself, but from the code issued. 

If the patient's record is non-identifiable and the study contains no patient identi- 
fiable information, no consent is currently necessary. In this case, a medical record 
person, not connected with the study, makes a copy of the chart, goes through each 
page and blacks out any reference to patient identification. Non-identifiable patient 
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specific information is aiso information that has been aggregated in such a manner 
that the identities of the subjects can not be identified under any circumstances. 
Under these circumstances, the charts can be used for any purpose desired by the 
researcher. This process is extremeiy iabor intensive and expensive. Non-identifiabie 
patient informationai data is generaiiy not as usefui for research as it iacks the de- 
taii that is required for meaningfui or sophisticated anaiysis. A researcher couid not 
recheck the chart or gather additionai information for their particuiar study with 
non-identifiabie patient information. A researcher couid not notify the patient if 
they identified a probiem in the patients care pian or treatment. 

For dinicai studies patient authorization documents shouid state that the re- 
searcher might need access to the patient's medicai information for auditing and 
source verification. Furthermore, the authorization document shouid inciudea state- 
ment that the patient identifiabie information wiii remain confidentiai. By signing 
the consent, the patient, or the patient's representative, has given their approvai to 
review the medicai record. 

Once the authorization is obtained, patient's information becomes randomized. A 
subject number is assigned to a patient. This number is provided in an enveiope, 
aiong with the treatment assigned by the dinicai product number. The principai re- 
searcher then cites the subject number and their initiais on each case report form 
for the patient. Oniy subject numbers are used in the data iistings and subsequent 
reports. The identity of each patient can oniy be determined by the researcher. 
NPUAP beiieves this process for research is practicai. 

IV. Preemption 

The NPUAP believes that the standards imposed by any iegisiative proposai 
shouid be universaiiy appiied. The NPUAP beiieves that there shouid be preemption 
of state iaws. Uniform standards that preserve patient rights and that foster high 
quaiity dinicai research efforts shouid be adopted. 

V. Clarifications 

In the Secretary's recommendations, and in some of the i^isiative drafts, there 
has been ianguage suggesting that a patient can amend their medicai record. It is 
undear what type of amendments a patient wouid be permitted to make. If a pa- 
tient is simpiy amending administrative items (address, phone number) that is ac- 
ceptabie. Flowever, the NPUAP strongiy disagrees with any ianguage aiiowing a pa- 
tient to amend medicai or diagnosis information. The NPUAP beiieves that you 
shouid either prohibit a patient from amending their medicai records or darify this 
ianguage to refiect what type of amendments a patient couid make to their record. 
By not having this darification and stating that a patient can amend their medicai 
records, you impiy they can amend their medicai or diagnosis information. Besides 
the impending medicai maipractice that wouid resuit, a patient shouid not be abie 
to amend their medicai information. NPUAP urges you to darify the ianguage so 
a patient is prohibited from amending any medicai or diagnosis information con- 
tained in their medical record. 

In the Secretary's recommendations and in drafted l^islative proposals authoriza- 
tion is not required for disclosure of protected health information for payment pur- 
poses. It is unclear what is included in the term "payment purposes." If a provider 
of services were required to obtain a certificate of medical necessity, which includes 
patient identifiable information in order to be paid, would they be permitted to ob- 
tain the information without authorization? 

A patient's record must be accessible to providers to the extent the information 
is needed to facilitate billing and care plan development. Failing to keep these 
records available could lead to duplication of services, missed diagnosis, and possibly 
abusive billing practices. Without the data required to establish medical necessity 
a provider would either not get paid or they could not successfully appeal any deni- 
als. The NPUAP believes a provider should be required to obtain a one time billing 
authorization. Flowever, to require providers to obtain an authorization every-time 
a provider needed information for billing or appeals purposes would be a costly bur- 
den. The definition for "payment purposes" must be clarified. 

VI . Conclusion 

In summary, as your Subcommittee considers patient medical records privacy and 
confidentiality standards, the NPUAP implores you to remember how vital medical 
and records research is to maintaining and improving health care. Research on pre- 
vention, new treatments and products depends on patient's participation in clinical 
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trials and researcher's access to their relevant medical information as well patient 
databases. 

Blanket signed authorizations allowing transfers of medical information to insur- 
ance companies, credit organizations, employers, etc. is problematic. This informa- 
tion can be either sold or transferred to national data banks where information may 
be used against the consumer or used for discriminatory purposes. This process 
should be stopped and medical information should be protected. 

The NPUAP supports reasonable protections with appropriate safeguards. The 
NPUAP supports legislative language requiring patient authorization. However, we 
believe the requirements of the IRB are stringent enough and therefore, clinical re- 
search should be exempt from any new or additional requirements. The NPUAP also 
believes that access to encoded data should be excluded from any new requirements 
or restrictions applicable to information that identifies the patient. Only data 
sources or collections of samples that directly identify individuals should be subject 
to confidentiality protections. Finally, uniform national standards that preempt 
state laws concerning confidentiality are necessary. 

The NPUAP thanks you for the opportunity to submit this written testimony. We 
would be happy to provide you with any additional information or answer any ques- 
tions you may have. 


Statement of Congressman Christopher Shays 

Thank you Mr. Chairman and Members of the Committee for the opportunity to 
provide you with my thoughts on medical records confidentiality. 

On S^tember 11, Secretary Shalala testified that protecting the confidentiality 
of medical records is critical as our health system enters the 21st century. I couldn't 
agree more. 

Under the Health Insurance Portability and Accountability Act, known as HIPAA 
or Kassebaum-Kennedy, Congress set a schedule for action on this issue. Should 
Congress fail to enact comprehensive legislation to protect the confidentiality of pa- 
tients' medical records by August of next year, the Secretary will promulgate regula- 
tions by February 2000. I do not welcome the prospect that the Secretary will im- 
pose r^ulations— without Congressional debate or review— that could impact all 
facets of our health care system. 

I want to recognize the efforts of Senators Bennett and J effords to move forward 
in this area. Their recognition that this is a serious problem has elevated the debate 
to a "must do" issue. Generally, the Senate has been driving the debate on legisla- 
tion to protect the confidentiality of medical records. I am concerned, however, that 
the approach currently being devised by the Senate Labor Committee is overly bur- 
densome. That is why I have been working on a different approach to spark discus- 
sion on this side of Capitol Hill. It is an important effort that I hope this sub- 
committee examines carefully. 

Mr. Chairman, this is a complex problem that spans a broad spectrum of inter- 
ests. In general, there are two opposing camps with very distinct and legitimate 
claims. One seeks to secure absolute privacy that would make it difficult, if not im- 
possible, to coordinate the delivery of health services. The other seeks to protect the 
confidentiality of medical records and maintain largely untouched the current low 
standard of protections currently afforded to health information. I believe the solu- 
tion lies somewhere in between. 

Those who seek to secure absolute privacy in a health context are prescribing a 
disaster for our health delivery system. We need to balance competing interests, be- 
tween a person's legitimate expectation of confidentiality and a business's need to 
know what it is paying for. In my judgment, the way to accomplish this is to leave 
the computer databases alone— and criminalize misuse of their data, recognizing 
there are both appropriate and inappropriate uses for medical information. 

Unfortunately, there is no guiding legal principle in this area. Instead, there is 
a patchwork of state and federal law that protects people in some states with some 
diagnoses but not others. A strong, uniform law is necessary to preempt the quilt 
of state protections that treat medical records differently. Multi-state health plans 
that submit bills to clearinghouses who then forward claims to separate payors can- 
not operate through a maze of differing standards, regulations and restrictions. 

The bill I intend to introduce next week, hopefully with the Chairman's support, 
will protect the confidentiality of medical records while protecting legitimate uses. 
The legislation will delineate the inappropriate uses of medical information— such 
as intentional or negligent disclosure, sale or commercial publication, or the use of 
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fraud, deceit or misrepresentation to access information. These prohibitions reiate 
specificaiiy to individuaiiy identifiabie information. Use of anonymous information 
wiii not be affected, uniess intentionaiiy decoded. 

In addition, my biii wiii aiiow patients to inspect, copy and, where appropriate, 
amend their medicai records. Finaiiy, the biii wiii impose strong criminai and dvii 
penaities for inappropriate disciosures, and wiii preempt state iaw, creating a uni- 
form system. Combined, these proposais shouid enhance the security of the patient 
medicai record without jeopardizing advances in quaiity heaith care. 

With current technoiogy and future advances there are both reai dangers and sub- 
stantiai opportunities with respect to protected heaith information. Absent strong, 
practicai and workabie standards, many wiii faii victim to those dangers and oppor- 
tunities wiii be missed. 

Innovative deveiopments in the deiivery of heaith services and technoiogicai ad- 
vancements mean heaith information is both more important and more vuinerabie. 
Whiiewecan aii agree that sensitive information such as psychoiogicai evaiuations 
and drug abuse counseiing needs to be kept private, we aiso need to aiiow heaith 
pians and researchers to review heaith information to improve education and treat- 
ment. 

It is my hope we can pass a nationai confidentiaiity iaw assuring patients' rights, 
whiie baiancing the interests of payors and providers, data processors, iaw enforce- 
ment agencies, and researchers. Congress shouid pass iegisiation to secure the con- 
fidentiaiity of medicai records, and it shouid be done this year. 

Mr. Chairman, I appreciate the opportunity to share these views with you. 

o 



